rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy

Browse Source
This commit is contained in:
Dan Walsh 2010-10-07 14:11:24 -04:00
commit d618232c77
1211 changed files with 169447 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

820
Changelog Normal file
View File

@ -0,0 +1,820 @@
- Unconditional staff and user oidentd home config access from Dominick Grift.
- Conditional mmap_zero support from Dominick Grift.
- Added devtmpfs support.
- Dbadm updates from KaiGai Kohei.
- Virtio disk file context update from Mika Pfluger.
- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
- Add JIT usage for freshclam.
- Remove ethereal module since the application was renamed to wireshark.
- Remove duplicate/redundant rules, from Russell Coker.
- Increased default number of categories to 1024, from Russell Coker.
- Added modules:
accountsd (Dan Walsh)
cgroup (Dominick Grift)
kdumpgui (Dan Walsh)
livecd (Dan Walsh)
mojomojo (Lain Arnell)
sambagui (Dan Walsh)
shutdown (Dan Walsh)
* Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524
- Merged a significant portion of Fedora policy.
- Move rules from mta mailserver delivery from interface to .te to use
attributes.
- Remove concept of users from terminal module interfaces since the
attributes are not specific to users.
- Add non-drawing X client support, for consolekit usage.
- Misc Gentoo fixes from Chris Richards.
- AFS and abrt fixes from Dominick Grift.
- Improved the XML docs of 55 most-used interfaces.
- Apcupsd and amavis fixes from Dominick Grift.
- Fix network_port() in corenetwork to correctly handle port ranges.
- SE-Postgresql updates from KaiGai Kohei.
- X object manager revisions from Eamon Walsh.
- Added modules:
aisexec (Dan Walsh)
chronyd (Miroslav Grepl)
cobbler (Dominick Grift)
corosync (Dan Walsh)
dbadm (KaiGai Kohei)
denyhosts (Dan Walsh)
nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
likewise (Scott Salley)
plymouthd (Dan Walsh)
pyicqt (Stefan Schulze Frielinghaus)
rhcs (Dan Walsh)
rgmanager (Dan Walsh)
sectoolm (Miroslav Grepl)
usbmuxd (Dan Walsh)
vhostmd (Dan Walsh)
* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
- Add separate x_pointer and x_keyboard classes inheriting from x_device.
From Eamon Walsh.
- Deprecated the userdom_xwindows_client_template().
- Misc Gentoo fixes from Corentin Labbe.
- Debian policykit fixes from Martin Orr.
- Fix unconfined_r use of unconfined_java_t.
- Add missing x_device rules for XI2 functions, from Eamon Walsh.
- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
- Add btrfs and ext4 to labeling targets.
- Fix infrastructure to expand macros in initrc_context when installing.
- Handle unix_chkpwd usage by useradd and groupadd.
- Add missing compatibility aliases for xdm_xserver*_t types.
- Added modules:
abrt (Dan Walsh)
dkim (Stefan Schulze Frielinghaus)
gitosis (Miroslav Grepl)
gnomeclock (Dan Walsh)
hddtemp (Dan Walsh)
kdump (Dan Walsh)
modemmanager(Dan Walsh)
nslcd (Dan Walsh)
puppet (Craig Grube)
rtkit (Dan Walsh)
seunshare (Dan Walsh)
shorewall (Dan Walsh)
tgtd (Matthew Ife)
tuned (Miroslav Grepl)
xscreensaver (Corentin Labbe)
* Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
- Gentoo fixes for init scripts and system startup.
- Remove read_default_t tunable.
- Greylist milter from Paul Howarth.
- Crack db access for su to handle password expiration, from Brandon Whalen.
- Misc fixes for unix_update from Brandon Whalen.
- Add x_device permissions for XI2 functions, from Eamon Walsh.
- MLS constraints for the x_selection class, from Eamon Walsh.
- Postgresql updates from KaiGai Kohei.
- Milter state directory patch from Paul Howarth.
- Add MLS constrains for ingress/egress and secmark from Paul Moore.
- Drop write permission from fs_read_rpc_sockets().
- Remove unused udev_runtime_t type.
- Patch for RadSec port from Glen Turner.
- Enable network_peer_controls policy capability from Paul Moore.
- Btrfs xattr support from Paul Moore.
- Add db_procedure install permission from KaiGai Kohei.
- Add support for network interfaces with access controlled by a Boolean
from the CLIP project.
- Several fixes from the CLIP project.
- Add support for labeled Booleans.
- Remove node definitions and change node usage to generic nodes.
- Add kernel_service access vectors, from Stephen Smalley.
- Added modules:
certmaster (Dan Walsh)
cpufreqselector (Dan Walsh)
devicekit (Dan Walsh)
fprintd (Dan Walsh)
git (Dan Walsh)
gpsd (Miroslav Grepl)
guest (Dan Walsh)
ifplugd (Dan Walsh)
lircd (Miroslav Grepl)
logadm (Dan Walsh)
pads (Dan Walsh)
pingd (Dan Walsh)
policykit (Dan Walsh)
pulseaudio (Dan Walsh)
psad (Dan Walsh)
portreserve (Dan Walsh)
sssd (Dan Walsh)
ulogd (Dan Walsh)
varnishd (Dan Walsh)
webadm (Dan Walsh)
wm (Dan Walsh)
xguest (Dan Walsh)
zosremote (Dan Walsh)
* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
- Fix consistency of audioentropy and iscsi module naming.
- Debian file context fix for xen from Russell Coker.
- Xserver MLS fix from Eamon Walsh.
- Add omapi port for dhcpcd.
- Deprecate per-role templates and rolemap support.
- Implement user-based access control for use as role separations.
- Move shared library calls from individual modules to the domain module.
- Enable open permission checks policy capability.
- Remove hierarchy from portage module as it is not a good example of
hieararchy.
- Remove enableaudit target from modular build as semodule -DB supplants it.
- Added modules:
milter (Paul Howarth)
* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
- Logrotate and Bind updates from Vaclav Ovsik.
- Init script file and domain support.
- Glibc 2.7 fix from Vaclav Ovsik.
- Samba/winbind update from Mike Edenfield.
- Policy size optimization with a non-security file attribute from James
Carter.
- Database labeled networking update from KaiGai Kohei.
- Several misc changes from the Fedora policy, cherry picked by David
Hardeman.
- Large whitespace fix from Dominick Grift.
- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
- Issuing commands to upstart is over a datagram socket, not the initctl
named pipe. Updated init_telinit() to match.
- Added modules:
cyphesis (Dan Walsh)
memcached (Dan Walsh)
oident (Dominick Grift)
w3c (Dan Walsh)
* Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702
- Fix httpd_enable_homedirs to actually provide the access it is supposed to
provide.
- Add unused interface/template parameter metadata in XML.
- Patch to handle postfix data_directory from Vaclav Ovsik.
- SE-Postgresql policy from KaiGai Kohei.
- Patch for X.org dbus support from Martin Orr.
- Patch for labeled networking controls in 2.6.25 from Paul Moore.
- Module loading now requires setsched on kernel threads.
- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
- X application data class from Eamon Walsh and Ted Toth.
- Move user roles into individual modules.
- Make hald_log_t a log file.
- Cryptsetup runs shell scripts. Patch from Martin Orr.
- Add file for enabling policy capabilities.
- Patch to fix leaky interface/template call depth calculator from Vaclav
Ovsik.
- Added modules:
kerneloops (Dan Walsh)
kismet (Dan Walsh)
podsleuth (Dan Walsh)
prelude (Dan Walsh)
qemu (Dan Walsh)
virt (Dan Walsh)
* Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402
- Add core Security Enhanced X Windows support.
- Fix winbind socket connection interface for default location of the
sock_file.
- Add wireshark module based on ethereal module.
- Revise upstart support in init module to use a tunable, as upstart is now
used in Fedora too.
- Add iferror.m4 rather generate it out of the Makefiles.
- Definitions for open permisson on file and similar objects from Eric
Paris.
- Apt updates for ptys and logs, from Martin Orr.
- RPC update from Vaclav Ovsik.
- Exim updates on Debian from Devin Carrawy.
- Pam and samba updates from Stefan Schulze Frielinghaus.
- Backup update on Debian from Vaclav Ovsik.
- Cracklib update on Debian from Vaclav Ovsik.
- Label /proc/kallsyms with system_map_t.
- 64-bit capabilities from Stephen Smalley.
- Labeled networking peer object class updates.
* Fri Dec 14 2007 Chris PeBenito <selinux@tresys.com> - 20071214
- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
- Improve several tunables descriptions from Dan Walsh.
- Patch to clean up ns switch usage in the policy from Dan Walsh.
- More complete labeled networking infrastructure from KaiGai Kohei.
- Add interface for libselinux constructor, for libselinux-linked
SELinux-enabled programs.
- Patch to restructure user role templates to create restricted user roles
from Dan Walsh.
- Russian man page translations from Andrey Markelov.
- Remove unused types from dbus.
- Add infrastructure for managing all user web content.
- Deprecate some old file and dir permission set macros in favor of the
newer, more consistently-named macros.
- Patch to clean up unescaped periods in several file context entries from
Jan-Frode Myklebust.
- Merge shlib_t into lib_t.
- Merge strict and targeted policies. The policy will now behave like the
strict policy if the unconfined module is not present. If it is, it will
behave like the targeted policy. Added an unconfined role to have a mix
of confined and unconfined users.
- Added modules:
exim (Dan Walsh)
postfixpolicyd (Jan-Frode Myklebust)
* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
- Add support for setting the unknown permissions handling.
- Fix XML building for external reference builds and headers builds.
- Patch to add missing requirements in userdomain interfaces from Shintaro
Fujiwara.
- Add tcpd_wrapped_domain() for services that use tcp wrappers.
- Update MLS constraints from LSPP evaluated policy.
- Allow initrc_t file descriptors to be inherited regardless of MLS level.
Accordingly drop MLS permissions from daemons that inherit from any level.
- Files and radvd updates from Stefan Schulze Frielinghaus.
- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
mls_write_all_levels() and mls_read_all_levels(), for consistency.
- Add make kernel and init ranged interfaces pass the range transition MLS
constraints. Also remove calls to mls_rangetrans_target() in modules that use
the kernel and init interfaces, since its redundant.
- Add interfaces for all MLS attributes except X object classes.
- Require all sensitivities and categories for MLS and MCS policies, not just
the low and high sensitivity and category.
- Database userspace object manager classes from KaiGai Kohei.
- Add third-party interface for Apache CGI.
- Add getserv and shmemserv nscd permissions.
- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
- Added modules:
application
awstats (Stefan Schulze Frielinghaus)
bitlbee (Devin Carraway)
brctl (Dan Walsh)
* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
libraries module.
- Unified labeled networking policy from Paul Moore.
- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
- Xen updates from Dan Walsh.
- Filesystem updates from Dan Walsh.
- Large samba update from Dan Walsh.
- Drop snmpd_etc_t.
- Confine sendmail and logrotate on targeted.
- Tunable connection to postgresql for users from KaiGai Kohei.
- Memprotect support patch from Stephen Smalley.
- Add logging_send_audit_msgs() interface and deprecate
send_audit_msgs_pattern().
- Openct updates patch from Dan Walsh.
- Merge restorecon into setfiles.
- Patch to begin separating out hald helper programs from Dan Walsh.
- Fixes for squid, dovecot, and snmp from Dan Walsh.
- Miscellaneous consolekit fixes from Dan Walsh.
- Patch to have avahi use the nsswitch interface rather than individual
permissions from Dan Walsh.
- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
to handle usage from userhelper from Dan Walsh.
- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
- Patch to allow slocate to getattr other filesystems and directories on those
filesystems from Dan Walsh.
- Fixes for RHEL4 from the CLIP project.
- Replace the old lrrd fc entries with munin ones.
- Move program admin template usage out of userdom_admin_user_template() to
sysadm policy in userdomain.te to fix usage of the template for third
parties.
- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
template instead of an interface.
- Added modules:
amtu (Dan Walsh)
apcupsd (Dan Walsh)
rpcbind (Dan Walsh)
rwho (Nalin Dahyabhai)
* Tue Apr 17 2007 Chris PeBenito <selinux@tresys.com> - 20070417
- Patch for sasl's use of kerberos from Dan Walsh.
- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
- Man page updates from Dan Walsh.
- Two patches from Paul Moore to for ipsec to remove redundant rules and
have setkey read the config file.
- Move booleans and tunables to modules when it is only used in a single
module.
- Add support for tunables and booleans local to a module.
- Merge sbin_t and ls_exec_t into bin_t.
- Remove disable_trans booleans.
- Output different header sets for kernel and userland from flask headers.
- Marked the pax class as deprecated, changed it to userland so
it will be removed from the kernel.
- Stop including netfilter contexts by default.
- Add dontaudits for init fds and console to init_daemon_domain().
- Patch to allow gpg to create user keys dir.
- Patch to support kvmfs from Dan Walsh.
- Patch for misc fixes in sudo from Dan Walsh.
- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
- Patch for handling restart of nscd when ran from useradd, groupadd, and
admin passwd, from Dan Walsh.
- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
- Patch for setroubleshoot for validating file contexts from Dan Walsh.
- Patch for gssd fixes from Dan Walsh.
- Patch for lvm fixes from Dan Walsh.
- Patch for ricci fixes from Dan Walsh.
- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
- Patch for kerberized telnet fixes from Dan Walsh.
- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
- Patch for an additional wine executable from Dan Walsh.
- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
corecommands, devices, and java from Dan Walsh.
- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
- Patch for misc fixes to bluetooth from Dan Walsh.
- Patch for misc fixes to kerberos from Dan Walsh.
- Patch to start deprecating usercanread attribute from Ryan Bradetich.
- Add dccp_socket object class which was added in kernel 2.6.20.
- Patch for prelink relabefrom it's temp files from Dan Walsh.
- Patch for capability fix for auditd and networking fix for syslogd from
Dan Walsh.
- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
- Patch to allow apmd to telinit from Dan Walsh.
- Patch for additional labeling of samba files from Stefan Schulze
Frielinghaus.
- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
- Fix ptys and ttys to be device nodes.
- Fix explicit use of httpd_t in openca_domtrans().
- Clean up file context regexes in apache and java, from Eamon Walsh.
- Patches from Dan Walsh:
Thu, 25 Jan 2007
- Added modules:
consolekit (Dan Walsh)
fail2ban (Dan Walsh)
zabbix (Dan Walsh)
* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
- Add policy patterns support macros. This changes the behavior of
the create_dir_perms and create_file_perms permission sets.
- Association polmatch MLS constraint making unlabeled_t an exception
is no longer needed, patch from Venkat Yekkirala.
- Context contains checking for PAM and cron from James Antill.
- Add a reload target to Modules.devel and change the load
target to only insert modules that were changed.
- Allow semanage to read from /root on strict non-MLS for
local policy modules.
- Gentoo init script fixes for udev.
- Allow udev to read kernel modules.inputmap.
- Dnsmasq fixes from testing.
- Allow kernel NFS server to getattr filesystems so df can work
on clients.
- Patch from Matt Anderson for a MLS constraint exemption on a
file that can be written to from a subject whose range is
within the object's range.
- Enhanced setransd support from Darrel Goeddel.
- Patches from Dan Walsh:
Tue, 24 Oct 2006
Wed, 29 Nov 2006
- Added modules:
aide (Matt Anderson)
ccs (Dan Walsh)
iscsi (Dan Walsh)
ricci (Dan Walsh)
* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
- Patch from Russell Coker Thu, 5 Oct 2006
- Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
categories configurable as build options.
- Add role infrastructure.
- Debian updates from Erich Schubert.
- Add nscd_socket_use() to auth_use_nsswitch().
- Remove old selopt rules.
- Full support for netfilter_contexts.
- MRTG patch for daemon operation from Stefan.
- Add authlogin interface to abstract common access for login programs.
- Remove setbool auditallow, except for RHEL4.
- Change eventpollfs to task SID labeling.
- Add key support from Michael LeMay.
- Add ftpdctl domain to ftp, from Paul Howarth.
- Fix build system to not move type declarations out of optionals.
- Add gcc-config domain to portage.
- Add packet object class and support in corenetwork.
- Add a copy of genhomedircon for monolithic policy building, so that a
policycoreutils package update is not required for RHEL4 systems.
- Add appletalk sockets for use in cups.
- Add Make target to validate module linking.
- Make duplicate template and interface declarations a fatal error.
- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
- Move xconsole_device_t from devices to xserver since it is
not actually a device, it is a named pipe.
- Handle nonexistant .fc and .if files in devel Makefile by
automatically creating empty files.
- Remove unused devfs_control_t.
- Add rhel4 distro, which also implies redhat distro.
- Remove unneeded range_transition for su_exec_t and move the
type declaration back to the su module.
- Constrain transitions in MCS so unconfined_t cannot have
arbitrary category sets.
- Change reiserfs from xattr filesystem to genfscon as it's xattrs
are currently nonfunctional.
- Change files and filesystem modules to use their own interfaces.
- Add user fonts to xserver.
- Additional interfaces in corecommands, miscfiles, and userdomain
from Joy Latten.
- Miscellaneous fixes from Thomas Bleher.
- Deprecate module name as first parameter of optional_policy()
now that optionals are allowed everywhere.
- Enable optional blocks in base module and monolithic policy.
This requires checkpolicy 1.30.1.
- Fix vpn module declaration.
- Numerous fixes from Dan Walsh.
- Change build order to preserve m4 line number information so policy
compile errors are useful again.
- Additional MLS interfaces from Chad Hanson.
- Move some rules out of domain_type() and domain_base_type()
to the TE file, to use the domain attribute to take advantage
of space savings from attribute use.
- Add global stack smashing protector rule for urandom access from
Petre Rodan.
- Fix temporary rules at the bottom of portmap.
- Updated comments in mls file from Chad Hanson.
- Patches from Dan Walsh:
Fri, 17 Mar 2006
Wed, 29 Mar 2006
Tue, 11 Apr 2006
Fri, 14 Apr 2006
Tue, 18 Apr 2006
Thu, 20 Apr 2006
Tue, 02 May 2006
Mon, 15 May 2006
Thu, 18 May 2006
Tue, 06 Jun 2006
Mon, 12 Jun 2006
Tue, 20 Jun 2006
Wed, 26 Jul 2006
Wed, 23 Aug 2006
Thu, 31 Aug 2006
Fri, 01 Sep 2006
Tue, 05 Sep 2006
Wed, 20 Sep 2006
Fri, 22 Sep 2006
Mon, 25 Sep 2006
- Added modules:
afs
amavis (Erich Schubert)
apt (Erich Schubert)
asterisk
audioentropy
authbind
backup
calamaris
cipe
clamav (Erich Schubert)
clockspeed (Petre Rodan)
courier
dante
dcc
ddclient
dpkg (Erich Schubert)
dnsmasq
ethereal
evolution
games
gatekeeper
gift
gnome (James Carter)
imaze
ircd
jabber
monop
mozilla
mplayer
munin
nagios
nessus
netlabel (Paul Moore)
nsd
ntop
nx
oav
oddjob (Dan Walsh)
openca
openvpn (Petre Rodan)
perdition
portslave
postgrey
pxe
pyzor (Dan Walsh)
qmail (Petre Rodan)
razor
resmgr
rhgb
rssh
snort
soundserver
speedtouch
sxid
thunderbird
tor (Erich Schubert)
transproxy
tripwire
uptime
uwimap
vmware
watchdog
xen (Dan Walsh)
xprint
yam
* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
- Make all interface parameters required.
- Move boot_t, system_map_t, and modules_object_t to files module,
and move bootloader to admin layer.
- Add semanage policy for semodule from Dan Walsh.
- Remove allow_execmem from targeted policy domain_base_type().
- Add users_extra and seusers support.
- Postfix fixes from Serge Hallyn.
- Run python and shell directly to interpret scripts so policy
sources need not be executable.
- Add desc tag XML to booleans and tunables, and add summary
to param XML tag, to make future translations possible.
- Remove unused lvm_vg_t.
- Many interface renames to improve naming consistency.
- Merge xdm into xserver.
- Remove kernel module reversed interfaces.
- Add filename attribute to module XML tag and lineno attribute to
interface XML tag.
- Changed QUIET build option to a yes or no option.
- Add a Makefile used for compiling loadable modules in a
user's development environment, building against policy headers.
- Add Make target for installing policy headers.
- Separate per-userdomain template expansion from the userdomain
module and add infrastructure to expand templates in the modules
that own the template.
- Enable secadm only for MLS policies.
- Remove role change rules in su and sudo since this functionality has been
removed from these programs.
- Add ctags Make target from Thomas Bleher.
- Collapse commands with grep piped to sed into one sed command.
- Fix type_change bug in term_user_pty().
- Move ice_tmp_t from miscfiles to xserver.
- Login fixes from Serge Hallyn.
- Move xserver_log_t from xdm to xserver.
- Add lpr per-userdomain policy to lpd.
- Miscellaneous fixes from Dan Walsh.
- Change initrc_var_run_t interface noun from script_pid to utmp,
for greater clarity.
- Added modules:
certwatch
mono (Dan Walsh)
mrtg
portage
tvtime
userhelper
usernetctl
wine (Dan Walsh)
xserver
* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
- Adds support for generating corenetwork interfaces based on attributes
in addition to types.
- Permits the listing of multiple nodes in a network_node() that will be
given the same type.
- Add two new permission sets for stream sockets.
- Rename file type transition interfaces verb from create to
filetrans to differentiate it from create interfaces without
type transitions.
- Fix expansion of interfaces from disabled modules.
- Rsync can be long running from init,
added rules to allow this.
- Add polyinstantiation build option.
- Add setcontext to the association object class.
- Add apache relay and db connect tunables.
- Rename texrel_shlib_t to textrel_shlib_t.
- Add swat to samba module.
- Numerous miscellaneous fixes from Dan Walsh.
- Added modules:
alsa
automount
cdrecord
daemontools (Petre Rodan)
ddcprobe
djbdns (Petre Rodan)
fetchmail
irc
java
lockdev
logwatch (Dan Walsh)
openct
prelink (Dan Walsh)
publicfile (Petre Rodan)
readahead
roundup
screen
slocate (Dan Walsh)
slrnpull
smartmon
sysstat
ucspitcp (Petre Rodan)
usbmodules
vbetool (Dan Walsh)
* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
- Add unlabeled IPSEC association rule to domains with
networking permissions.
- Merge systemuser back in to users, as these files
do not need to be split.
- Add check for duplicate interface/template definitions.
- Move domain, files, and corecommands modules to kernel
layer to resolve some layering inconsistencies.
- Move policy build options out of Makefile into build.conf.
- Add yppasswd to nis module.
- Change optional_policy() to refer to the module name
rather than modulename.te.
- Fix labeling targets to use installed file_contexts rather
than partial file_contexts in the policy source directory.
- Fix build process to use make's internal vpath functions
to detect modules rather than using subshells and find.
- Add install target for modular policy.
- Add load target for modular policy.
- Add appconfig dependency to the load target.
- Miscellaneous fixes from Dan Walsh.
- Fix corenetwork gen_context()'s to expand during the policy
build phase instead of during the generation phase.
- Added policies:
amanda
avahi
canna
cyrus
dbskk
dovecot
distcc
i18n_input
irqbalance
lpd
networkmanager
pegasus
postfix
procmail
radius
rdisc
rpc
spamassassin
timidity
xdm
xfs
* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
- Many fixes to make loadable modules build.
- Add targets for sechecker.
- Updated to sedoctool to read bool files and tunable
files separately.
- Changed the xml tag of <boolean> to <bool> to be consistent
with gen_bool().
- Modified the implementation of segenxml to use regular
expressions.
- Rename context_template() to gen_context() to clarify
that its not a Reference Policy template, but a support
macro.
- Add disable_*_trans bool support for targeted policy.
- Add MLS module to handle MLS constraint exceptions,
such as reading up and writing down.
- Fix errors uncovered by sediff.
- Added policies:
anaconda
apache
apm
arpwatch
bluetooth
dmidecode
finger
ftp
kudzu
mailman
ppp
radvd
sasl
webalizer
* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
- Make logrotate, sendmail, sshd, and rpm policies
unconfined in the targeted policy so no special
modules.conf is required.
- Add experimental MCS support.
- Add appconfig for MLS.
- Add equivalents for old can_resolve(), can_ldap(), and
can_portmap() to sysnetwork.
- Fix base module compile issues.
- Added policies:
cpucontrol
cvs
ktalk
portmap
postgresql
rlogin
samba
snmp
stunnel
telnet
tftp
uucp
vpn
zebra
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
- Fix errors uncovered by sediff.
- Doc tool will explicitly say a module does not have interfaces
or templates on the module page.
- Added policies:
comsat
dbus
dhcp
dictd
hal
inn
ntp
squid
* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
- Add Makefile support for building loadable modules.
- Add genclassperms.py tool to add require blocks
for loadable modules.
- Change sedoctool to make required modules part of base
by default, otherwise make as modules, in modules.conf.
- Fix segenxml to handle modules with no interfaces.
- Rename ipsec connect interface for consistency.
- Add missing parts of unix stream socket connect interface
of ipsec.
- Rename inetd connect interface for consistency.
- Rename interface for purging contents of tmp, for clarity,
since it allows deletion of classes other than file.
- Misc. cleanups.
- Added policies:
acct
bind
firstboot
gpm
howl
ldap
loadkeys
mysql
privoxy
quota
rshd
rsync
su
sudo
tcpd
tmpreaper
updfstab
* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
- Fix comparison bug in fc_sort.
- Fix handling of ordered and unordered HTML lists.
- Corenetwork now supports multiple network interfaces having the
same type.
- Doc tool now creates pages for global Booleans and global tunables.
- Doc tool now links directly to the interface/template in the
module page when it is selected in the interface/template index.
- Added support for layer summaries.
- Added policies:
ipsec
nscd
pcmcia
raid
* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
- Changed xml to have modules encapsulated by layer tags, rather
than putting layer="foo" in the module tags. Also in the future
we can put a summary and description for each layer.
- Added tool to infer interface, module, and layer tags. This will
now list all interfaces, even if they are missing xml docs.
- Shortened xml tag names.
- Added macros to declare interfaces and templates.
- Added interface call trace.
- Updated all xml documentation for shorter and inferred tags.
- Doc tool now displays templates in the web pages.
- Doc tool retains the user's settings in modules.conf and
tunables.conf if the files already exist.
- Modules.conf behavior has been changed to be a list of all
available modules, and the user can specify if the module is
built as a loadable module, included in the monolithic policy,
or excluded.
- Added policies:
fstools (fsck, mkfs, swapon, etc. tools)
logrotate
inetd
kerberos
nis (ypbind and ypserv)
ssh (server, client, and agent)
unconfined
- Added infrastructure for targeted policy support, only missing
transition boolean support.
* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
- Initial release

48
INSTALL Normal file
View File

@ -0,0 +1,48 @@
Reference Policy has a requirement of checkpolicy 1.33.1 and
libsepol-1.16.2. Red Hat Enterprise Linux 4 and Fedora Core 4 RPMs
are available on the CLIP download page at http://oss.tresys.com,
and can be installed thusly:
Red Hat Enterprise Linux 4:
rpm -i libsepol-1.11.7-1.i386.rpm
rpm -U checkpolicy-1.28-4.i386.rpm
Fedora Core 4:
rpm -U libsepol-1.11.7-1.i386.rpm checkpolicy-1.28-4.i386.rpm
To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
make install-src
This will back up a pre-existing source policy to the
/etc/selinux/refpolicy/src/policy.bak directory.
If you do not have a modules.conf, one can be generated:
make conf
This will create a default modules.conf. Options for the policy
build process can be found in build.conf. After installing the policy sources,
the old Make targets have been maintained for the monolithic policy:
Local policy development:
make policy
Compile and install the policy:
make install
Compile, install, and load the policy:
make load
Filesystem labeling:
make relabel
make checklabels
make restorelabels
See the README for more information on available make targets.

670
Makefile Normal file
View File

@ -0,0 +1,670 @@
#
# Makefile for the security policy.
#
# Targets:
#
# install - compile and install the policy configuration, and context files.
# load - compile, install, and load the policy configuration.
# reload - compile, install, and load/reload the policy configuration.
# relabel - relabel filesystems based on the file contexts configuration.
# checklabels - check filesystems against the file context configuration
# restorelabels - check filesystems against the file context configuration
# and restore the label of files with incorrect labels
# policy - compile the policy configuration locally for testing/development.
#
# The default target is 'policy'.
#
#
# Please see build.conf for policy build options.
#
########################################
#
# NO OPTIONS BELOW HERE
#
# Include the local build.conf if it exists, otherwise
# include the configuration of the root directory.
include build.conf
ifdef LOCAL_ROOT
-include $(LOCAL_ROOT)/build.conf
endif
# refpolicy version
version = $(shell cat VERSION)
ifdef LOCAL_ROOT
builddir := $(LOCAL_ROOT)/
tmpdir := $(LOCAL_ROOT)/tmp
tags := $(LOCAL_ROOT)/tags
else
tmpdir := tmp
tags := tags
endif
# executable paths
BINDIR ?= /usr/bin
SBINDIR ?= /usr/sbin
ifdef TEST_TOOLCHAIN
tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
else
tc_usrbindir := $(BINDIR)
tc_usrsbindir := $(SBINDIR)
tc_sbindir := /sbin
endif
CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
CHECKMODULE ?= $(tc_usrbindir)/checkmodule
SEMODULE ?= $(tc_usrsbindir)/semodule
SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SETFILES ?= $(tc_sbindir)/setfiles
XMLLINT ?= $(BINDIR)/xmllint
SECHECK ?= $(BINDIR)/sechecker
# interpreters and aux tools
AWK ?= gawk
GREP ?= egrep
INSTALL ?= install
M4 ?= m4
PYTHON ?= python
SED ?= sed
SORT ?= LC_ALL=C sort
CFLAGS += -Wall
# policy source layout
poldir := policy
moddir := $(poldir)/modules
flaskdir := $(poldir)/flask
secclass := $(flaskdir)/security_classes
isids := $(flaskdir)/initial_sids
avs := $(flaskdir)/access_vectors
# local source layout
ifdef LOCAL_ROOT
local_poldir := $(LOCAL_ROOT)/policy
local_moddir := $(local_poldir)/modules
endif
# policy building support tools
support := support
genxml := $(PYTHON) -E $(support)/segenxml.py
gendoc := $(PYTHON) -E $(support)/sedoctool.py
genperm := $(PYTHON) -E $(support)/genclassperms.py
fcsort := $(tmpdir)/fc_sort
setbools := $(AWK) -f $(support)/set_bools_tuns.awk
get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
m4iferror := $(support)/iferror.m4
m4divert := $(support)/divert.m4
m4undivert := $(support)/undivert.m4
# use our own genhomedircon to make sure we have a known usable one,
# so policycoreutils updates are not required (RHEL4)
genhomedircon := $(PYTHON) -E $(support)/genhomedircon
# documentation paths
docs := doc
xmldtd = $(docs)/policy.dtd
metaxml = metadata.xml
doctemplate = $(docs)/templates
docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
ifndef LOCAL_ROOT
polxml = $(docs)/policy.xml
tunxml = $(docs)/global_tunables.xml
boolxml = $(docs)/global_booleans.xml
htmldir = $(docs)/html
else
polxml = $(LOCAL_ROOT)/doc/policy.xml
tunxml = $(LOCAL_ROOT)/doc/global_tunables.xml
boolxml = $(LOCAL_ROOT)/doc/global_booleans.xml
htmldir = $(LOCAL_ROOT)/doc/html
endif
# config file paths
globaltun = $(poldir)/global_tunables
globalbool = $(poldir)/global_booleans
rolemap = $(poldir)/rolemap
user_files := $(poldir)/users
policycaps := $(poldir)/policy_capabilities
# local config file paths
ifndef LOCAL_ROOT
mod_conf = $(poldir)/modules.conf
booleans = $(poldir)/booleans.conf
tunables = $(poldir)/tunables.conf
else
mod_conf = $(local_poldir)/modules.conf
booleans = $(local_poldir)/booleans.conf
tunables = $(local_poldir)/tunables.conf
endif
# install paths
PKGNAME ?= refpolicy-$(version)
prefix = $(DESTDIR)/usr
topdir = $(DESTDIR)/etc/selinux
installdir = $(topdir)/$(strip $(NAME))
srcpath = $(installdir)/src
userpath = $(installdir)/users
policypath = $(installdir)/policy
contextpath = $(installdir)/contexts
homedirpath = $(contextpath)/files/homedir_template
fcpath = $(contextpath)/files/file_contexts
ncpath = $(contextpath)/netfilter_contexts
sharedir = $(prefix)/share/selinux
modpkgdir = $(sharedir)/$(strip $(NAME))
headerdir = $(modpkgdir)/include
docsdir = $(prefix)/share/doc/$(PKGNAME)
# enable MLS if requested.
ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
gennetfilter += -m
endif
# enable MLS if MCS requested.
ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
gennetfilter += -c
endif
# enable distribution-specific policy
ifneq ($(DISTRO),)
M4PARAM += -D distro_$(DISTRO)
endif
# rhel4 also implies redhat
ifeq "$(DISTRO)" "rhel4"
M4PARAM += -D distro_redhat
endif
ifeq "$(DISTRO)" "ubuntu"
M4PARAM += -D distro_debian
endif
ifneq ($(OUTPUT_POLICY),)
CHECKPOLICY += -c $(OUTPUT_POLICY)
endif
# if not set, use the type as the name.
NAME ?= $(TYPE)
# default unknown permissions setting
#UNK_PERMS ?= deny
ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon
endif
ifeq "$(UBAC)" "y"
M4PARAM += -D enable_ubac
endif
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
MLS_CATS ?= 1024
MCS_CATS ?= 1024
ifeq ($(QUIET),y)
verbose = @
endif
M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
# we need exuberant ctags; unfortunately it is named
# differently on different distros
ifeq ($(DISTRO),debian)
CTAGS := ctags-exuberant
endif
ifeq ($(DISTRO),gentoo)
CTAGS := exuberant-ctags
endif
CTAGS ?= ctags
m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt)
ifdef LOCAL_ROOT
m4support += $(wildcard $(local_poldir)/support/*.spt)
endif
m4support += $(m4undivert)
appconf := config/appconfig-$(TYPE)
seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
ifdef LOCAL_ROOT
all_layers += $(shell find $(wildcard $(local_moddir)/*) -maxdepth 0 -type d)
endif
generated_te := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te.in)))
generated_if := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if.in)))
generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in)))
# sort here since it removes duplicates, which can happen
# when a generated file is already generated
detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
layer_names := $(sort $(notdir $(all_layers)))
all_metaxml = $(call detect-metaxml, $(layer_names))
# modules.conf setting for base module
configbase := base
# modules.conf setting for loadable module
configmod := module
# modules.conf setting for unused module
configoff := off
# test for module overrides from command line
mod_test = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
mod_test += $(filter $(APPS_MODS), $(APPS_BASE))
ifneq "$(strip $(mod_test))" ""
$(error Applications must be base, module, or off, and not in more than one list! $(strip $(mod_test)) found in multiple lists!)
endif
# add on suffix to modules specified on command line
cmdline_base := $(addsuffix .te,$(APPS_BASE))
cmdline_mods := $(addsuffix .te,$(APPS_MODS))
cmdline_off := $(addsuffix .te,$(APPS_OFF))
# extract settings from modules.conf
mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
base_mods := $(cmdline_base)
mod_mods := $(cmdline_mods)
off_mods := $(cmdline_off)
base_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_base))
mod_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_mods))
off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_off))
# add modules not in modules.conf to the off list
off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
# filesystems to be used in labeling targets
filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
########################################
#
# Functions
#
# parse-rolemap-compat modulename,outputfile
define parse-rolemap-compat
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# parse-rolemap modulename,outputfile
define parse-rolemap
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
endef
# perrole-expansion modulename,outputfile
define perrole-expansion
$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
$(call parse-rolemap,$1,$2)
$(verbose) echo "')" >> $2
$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
$(call parse-rolemap-compat,$1,$2)
$(verbose) echo "')" >> $2
endef
# create-base-per-role-tmpl modulenames,outputfile
define create-base-per-role-tmpl
$(verbose) echo "define(\`base_per_role_template',\`" >> $2
$(verbose) for i in $1; do \
echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \
>> $2 ;\
done
$(verbose) for i in $1; do \
echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\
echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\
echo """$$i""_per_userdomain_template("'$$*'")')" >> $2 ;\
done
$(verbose) echo "')" >> $@
endef
# detect-metaxml layer_names
ifdef LOCAL_ROOT
define detect-metaxml
$(shell for i in $1; do \
if [ -d $(moddir)/$$i -a -d $(local_moddir)/$$i ]; then \
if [ -f $(local_moddir)/$$i/$(metaxml) ]; then \
echo $(local_moddir)/$$i/$(metaxml) ;\
else \
echo $(moddir)/$$i/$(metaxml) ;\
fi \
elif [ -d $(local_moddir)/$$i ]; then
echo $(local_moddir)/$$i/$(metaxml) ;\
else \
echo $(moddir)/$$i/$(metaxml) ;\
fi \
done )
endef
else
define detect-metaxml
$(shell for i in $1; do echo $(moddir)/$$i/$(metaxml); done)
endef
endif
########################################
#
# Load appropriate rules
#
ifeq ($(MONOLITHIC),y)
include Rules.monolithic
else
include Rules.modular
endif
########################################
#
# Generated files
#
# NOTE: There is no "local" version of these files.
#
generate: $(generated_te) $(generated_if) $(generated_fc)
$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
@echo "#" > $@
@echo "# This is a generated file! Instead of modifying this file, the" >> $@
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat $@.in >> $@
$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
| $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
$(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in
@echo "#" > $@
@echo "# This is a generated file! Instead of modifying this file, the" >> $@
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
########################################
#
# Network packet labeling
#
$(net_contexts): $(moddir)/kernel/corenetwork.te.in
@echo "Creating netfilter network labeling rules"
$(verbose) $(gennetfilter) $^ > $@
########################################
#
# Create config files
#
conf: $(mod_conf) $(booleans) $(generated_te) $(generated_if) $(generated_fc)
$(mod_conf) $(booleans): $(polxml)
@echo "Updating $(mod_conf) and $(booleans)"
$(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml)
########################################
#
# Generate the fc_sort program
#
$(fcsort) : $(support)/fc_sort.c
$(verbose) $(CC) $(CFLAGS) $^ -o $@
########################################
#
# Documentation generation
#
$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > $@
$(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
ifdef LOCAL_ROOT
$(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
endif
$(tunxml): $(globaltun)
$(verbose) $(genxml) -w -t $< > $@
$(boolxml): $(globalbool)
$(verbose) $(genxml) -w -b $< > $@
$(polxml): $(layerxml) $(tunxml) $(boolxml)
@echo "Creating $(@F)"
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
$(verbose) echo '<policy>' >> $@
$(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
$(verbose) cat $(tunxml) $(boolxml) >> $@
$(verbose) echo '</policy>' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
fi
xml: $(polxml)
html $(tmpdir)/html: $(polxml)
@echo "Building html interface reference documentation in $(htmldir)"
@test -d $(htmldir) || mkdir -p $(htmldir)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(gendoc) -d $(htmldir) -T $(doctemplate) -x $(polxml)
$(verbose) cp $(doctemplate)/*.css $(htmldir)
@touch $(tmpdir)/html
########################################
#
# Runtime binary policy patching of users
#
$(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files)
@mkdir -p $(tmpdir)
@mkdir -p $(userpath)
@echo "Installing system.users"
@echo "# " > $(tmpdir)/system.users
@echo "# Do not edit this file. " >> $(tmpdir)/system.users
@echo "# This file is replaced on reinstalls of this policy." >> $(tmpdir)/system.users
@echo "# Please edit local.users to make local changes." >> $(tmpdir)/system.users
@echo "#" >> $(tmpdir)/system.users
$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
-e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users
$(verbose) $(INSTALL) -m 644 $(tmpdir)/system.users $@
$(userpath)/local.users: config/local.users
@mkdir -p $(userpath)
@echo "Installing local.users"
$(verbose) $(INSTALL) -b -m 644 $< $@
########################################
#
# Build Appconfig files
#
$(tmpdir)/initrc_context: $(appconf)/initrc_context
@mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
########################################
#
# Install Appconfig files
#
install-appconfig: $(appfiles)
$(installdir)/booleans: $(booleans)
@mkdir -p $(tmpdir)
@mkdir -p $(installdir)
$(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
-e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans
$(verbose) $(INSTALL) -m 644 $(tmpdir)/booleans $@
$(contextpath)/files/media: $(appconf)/media
@mkdir -p $(contextpath)/files/
$(verbose) $(INSTALL) -m 644 $< $@
$(contextpath)/users/%: $(appconf)/%_default_contexts
@mkdir -p $(appdir)/users
$(verbose) $(INSTALL) -m 644 $^ $@
$(appdir)/%: $(appconf)/%
@mkdir -p $(appdir)
$(verbose) $(M4) $(M4PARAM) $(m4support) $< > $@
########################################
#
# Install policy headers
#
install-headers: $(layerxml) $(tunxml) $(boolxml)
@mkdir -p $(headerdir)
@echo "Installing $(NAME) policy headers."
$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
$(verbose) $(M4) $(M4PARAM) $(rolemap) > $(headerdir)/$(notdir $(rolemap))
$(verbose) mkdir -p $(headerdir)/support
$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
$(verbose) for i in $(notdir $(all_layers)); do \
mkdir -p $(headerdir)/$$i ;\
$(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
done
$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
$(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
ifneq "$(DISTRO)" ""
$(verbose) echo "DISTRO ?= $(DISTRO)" >> $(headerdir)/build.conf
endif
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
$(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
########################################
#
# Install policy documentation
#
install-docs: $(tmpdir)/html
@mkdir -p $(docsdir)/html
@echo "Installing policy documentation"
$(verbose) $(INSTALL) -m 644 $(docfiles) $(docsdir)
$(verbose) $(INSTALL) -m 644 $(wildcard $(htmldir)/*) $(docsdir)/html
########################################
#
# Install policy sources
#
install-src:
rm -rf $(srcpath)/policy.old
-mv $(srcpath)/policy $(srcpath)/policy.old
mkdir -p $(srcpath)/policy
cp -R . $(srcpath)/policy
########################################
#
# Generate tags file
#
tags: $(tags)
$(tags):
@($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
@LC_ALL=C $(CTAGS) -f $(tags) --langdef=te --langmap=te:..te.if.spt \
--regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
--regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
--regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
--regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
--regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
--regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
########################################
#
# Filesystem labeling
#
checklabels:
@echo "Checking labels on filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
restorelabels:
@echo "Restoring labels on filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
relabel:
@echo "Relabeling filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(verbose) $(SETFILES) $(fcpath) $(filesystems)
resetlabels:
@echo "Resetting labels on filesystem types: $(fs_names)"
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
fi
$(verbose) $(SETFILES) -F $(fcpath) $(filesystems)
########################################
#
# Clean everything
#
bare: clean
rm -f $(polxml)
rm -f $(layerxml)
rm -f $(modxml)
rm -f $(tunxml)
rm -f $(boolxml)
rm -f $(mod_conf)
rm -f $(booleans)
rm -fR $(htmldir)
rm -f $(tags)
# don't remove these files if we're given a local root
ifndef LOCAL_ROOT
rm -f $(fcsort)
rm -f $(support)/*.pyc
ifneq ($(generated_te),)
rm -f $(generated_te)
endif
ifneq ($(generated_if),)
rm -f $(generated_if)
endif
ifneq ($(generated_fc),)
rm -f $(generated_fc)
endif
endif
.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
.SUFFIXES:
.SUFFIXES: .c

269
README Normal file
View File

@ -0,0 +1,269 @@
1) Reference Policy make targets:
General Make targets:
install-src Install the policy sources into
/etc/selinux/NAME/src/policy, where NAME is defined in
the Makefile. If not defined, the TYPE, as defined in
the Makefile, is used. The default NAME is refpolicy.
A pre-existing source policy will be moved to
/etc/selinux/NAME/src/policy.bak.
conf Regenerate policy.xml, and update/create modules.conf
and booleans.conf. This should be done after adding
or removing modules, or after running the bare target.
If the configuration files exist, their settings will
be preserved. This must be ran on policy sources that
are checked out from the CVS repository before they can
be used.
clean Delete all temporary files, compiled policies,
and file_contexts. Configuration files are left intact.
bare Do the clean make target and also delete configuration
files, web page documentation, and policy.xml.
html Regenerate policy.xml and create web page documentation
in the doc/html directory.
Make targets specific to modular (loadable modules) policies:
base Compile and package the base module. This is the
default target for modular policies.
modules Compile and package all Reference Policy modules
configured to be built as loadable modules.
MODULENAME.pp Compile and package the MODULENAME Reference Policy
module.
all Compile and package the base module and all Reference
Policy modules configured to be built as loadable
modules.
install Compile, package, and install the base module and
Reference Policy modules configured to be built as
loadable modules.
load Compile, package, and install the base module and
Reference Policy modules configured to be built as
loadable modules, then insert them into the module
store.
validate Validate if the configured modules can successfully
link and expand.
install-headers Install the policy headers into /usr/share/selinux/NAME.
The headers are sufficient for building a policy
module locally, without requiring the complete
Reference Policy sources. The build.conf settings
for this policy configuration should be set before
using this target.
Make targets specific to monolithic policies:
policy Compile a policy locally for development and testing.
This is the default target for monolithic policies.
install Compile and install the policy and file contexts.
load Compile and install the policy and file contexts, then
load the policy.
enableaudit Remove all dontaudit rules from policy.conf.
relabel Relabel the filesystem.
checklabels Check the labels on the filesystem, and report when
a file would be relabeled, but do not change its label.
restorelabels Relabel the filesystem and report each file that is
relabeled.
2) Reference Policy Build Options (build.conf)
TYPE String. Available options are standard, mls, and mcs.
For a type enforcement only system, set standard.
This optionally enables multi-level security (MLS) or
multi-category security (MCS) features. This option
controls enable_mls, and enable_mcs policy blocks.
NAME String (optional). Sets the name of the policy; the
NAME is used when installing files to e.g.,
/etc/selinux/NAME and /usr/share/selinux/NAME. If not
set, the policy type (TYPE) is used.
DISTRO String (optional). Enable distribution-specific policy.
Available options are redhat, rhel4, gentoo, debian,
and suse. This option controls distro_redhat,
distro_rhel4, distro_gentoo, distro_debian, and
distro_suse policy blocks.
MONOLITHIC Boolean. If set, a monolithic policy is built,
otherwise a modular policy is built.
DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
run init scripts, instead of requiring the run_init
tool. This is a build option instead of a tunable since
role transitions do not work in conditional policy.
This option controls direct_sysadm_daemon policy
blocks.
OUTPUT_POLICY Integer. Set the version of the policy created when
building a monolithic policy. This option has no effect
on modular policy.
UNK_PERMS String. Set the kernel behavior for handling of
permissions defined in the kernel but missing from the
policy. The permissions can either be allowed, denied,
or the policy loading can be rejected.
UBAC Boolean. If set, the SELinux user will be used
additionally for approximate role separation.
MLS_SENS Integer. Set the number of sensitivities in the MLS
policy. Ignored on standard and MCS policies.
MLS_CATS Integer. Set the number of categories in the MLS
policy. Ignored on standard and MCS policies.
MCS_CATS Integer. Set the number of categories in the MCS
policy. Ignored on standard and MLS policies.
QUIET Boolean. If set, the build system will only display
status messages and error messages. This option has no
effect on policy.
3) Reference Policy Files and Directories
All directories relative to the root of the Reference Policy sources directory.
Makefile General rules for building the policy.
Rules.modular Makefile rules specific to building loadable module
policies.
Rules.monolithic Makefile rules specific to building monolithic policies.
build.conf Options which influence the building of the policy,
such as the policy type and distribution.
config/appconfig-* Application configuration files for all configurations
of the Reference Policy (targeted/strict with or without
MLS or MCS). These are used by SELinux-aware programs.
config/local.users The file read by load policy for adding SELinux users
to the policy on the fly.
doc/html/* This contains the contents of the in-policy XML
documentation, presented in web page form.
doc/policy.dtd The doc/policy.xml file is validated against this DTD.
doc/policy.xml This file is generated/updated by the conf and html make
targets. It contains the complete XML documentation
included in the policy.
doc/templates/* Templates used for documentation web pages.
policy/booleans.conf This file is generated/updated by the conf make target.
It contains the booleans in the policy, and their
default values. If tunables are implemented as
booleans, tunables will also be included. This file
will be installed as the /etc/selinux/NAME/booleans
file.
policy/constraints This file defines additional constraints on permissions
in the form of boolean expressions that must be
satisfied in order for specified permissions to be
granted. These constraints are used to further refine
the type enforcement rules and the role allow rules.
Typically, these constraints are used to restrict
changes in user identity or role to certain domains.
policy/global_booleans This file defines all booleans that have a global scope,
their default value, and documentation.
policy/global_tunables This file defines all tunables that have a global scope,
their default value, and documentation.
policy/flask/initial_sids This file has declarations for each initial SID.
policy/flask/security_classes This file has declarations for each security class.
policy/flask/access_vectors This file defines the access vectors. Common
prefixes for access vectors may be defined at the
beginning of the file. After the common prefixes are
defined, an access vector may be defined for each
security class.
policy/mcs The multi-category security (MCS) configuration.
policy/mls The multi-level security (MLS) configuration.
policy/modules/* Each directory represents a layer in Reference Policy
all of the modules are contained in one of these layers.
policy/modules.conf This file contains a listing of available modules, and
how they will be used when building Reference Policy. To
prevent a module from being used, set the module to
"off". For monolithic policies, modules set to "base"
and "module" will be included in the policy. For
modular policies, modules set to "base" will be included
in the base module; those set to "module" will be
compiled as individual loadable modules.
policy/rolemap This file contains prefix and user domain type that
corresponds to each user role. The contents of this
file will be used to expand the per-user domain
templates for each module.
policy/support/* Support macros.
policy/users This file defines the users included in the policy.
support/* Tools used in the build process.
4) Building policy modules using Reference Policy headers:
The system must first have the Reference Policy headers installed, typically
by the distribution. Otherwise, the headers can be installed using the
install-headers target from the full Reference Policy sources.
To set up a directory to build a local module, one must simply place a .te
file in a directory. A sample Makefile to use in the directory is the
Makefile.example in the doc directory. This may be installed in
/usr/share/doc, under the directory for the distribution's policy.
Alternatively, the primary Makefile in the headers directory (typically
/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
option.
Larger projects can set up a structure of layers, just as in Reference
Policy, by creating policy/modules/LAYERNAME directories. Each layer also
must have a metadata.xml file which is an XML file with a summary tag and
optional desc (long description) tag. This should describe the purpose of
the layer.
Metadata.xml example:
<summary>ABC modules for the XYZ components.</summary>
Make targets for modules built from headers:
MODULENAME.pp Compile and package the MODULENAME local module.
all Compile and package the modules in the current
directory.
load Compile and package the modules in the current
directory, then insert them into the module store.
refresh Attempts to reinsert all modules that are currently
in the module store from the local and system module
packages.
xml Build a policy.xml from the XML included with the
base policy headers and any XML in the modules in
the current directory.

223
Rules.modular Normal file
View File

@ -0,0 +1,223 @@
########################################
#
# Rules and Targets for building modular policies
#
all_modules := $(base_mods) $(mod_mods) $(off_mods)
all_interfaces := $(all_modules:.te=.if)
base_pkg := $(builddir)base.pp
base_fc := $(builddir)base.fc
base_conf := $(builddir)base.conf
base_mod := $(tmpdir)/base.mod
users_extra := $(tmpdir)/users_extra
base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
base_te_files := $(base_mods)
base_post_te_files := $(user_files) $(poldir)/constraints
base_fc_files := $(base_mods:.te=.fc)
mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
# policy packages to install
instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
# search layer dirs for source files
vpath %.te $(all_layers)
vpath %.if $(all_layers)
vpath %.fc $(all_layers)
.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
########################################
#
# default action: create all module packages
#
default: policy
all policy: base modules
base: $(base_pkg)
modules: $(mod_pkgs)
install: $(instpkg) $(appfiles)
########################################
#
# Load all configured modules
#
load: $(instpkg) $(appfiles)
# make sure two directories exist since they are not
# created by semanage
@mkdir -p $(policypath) $(dir $(fcpath))
@echo "Loading configured modules."
$(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
########################################
#
# Install policy packages
#
$(modpkgdir)/%.pp: $(builddir)%.pp
@mkdir -p $(modpkgdir)
@echo "Installing $(NAME) $(@F) policy package."
$(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
########################################
#
# Build module packages
#
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(call perrole-expansion,$(basename $(@F)),$@.role)
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
$(tmpdir)/%.mod.fc: $(m4support) %.fc
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
@echo "Creating $(NAME) $(@F) policy package"
@test -d $(builddir) || mkdir -p $(builddir)
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
########################################
#
# Create a base module package
#
$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
@echo "Creating $(NAME) base module package"
@test -d $(builddir) || mkdir -p $(builddir)
$(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
ifneq "$(UNK_PERMS)" ""
$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
endif
$(base_mod): $(base_conf)
@echo "Compiling $(NAME) base module"
$(verbose) $(CHECKMODULE) $^ -o $@
$(tmpdir)/seusers: $(seusers)
@mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
$(users_extra): $(m4support) $(user_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
########################################
#
# Construct a base.conf
#
$(base_conf): $(base_sections)
@echo "Creating $(NAME) base module $(@F)"
@test -d $(@D) || mkdir -p $(@D)
$(verbose) cat $^ > $@
$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
$(tmpdir)/generated_definitions.conf:
@test -d $(tmpdir) || mkdir -p $(tmpdir)
# define all available object classes
$(verbose) $(genperm) $(avs) $(secclass) > $@
$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
$(verbose) $(M4) $(M4PARAM) $^ > $@
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
@echo "divert(-1)" > $@
$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
@echo "divert" >> $@
$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/rolemap.conf: $(rolemap)
$(verbose) echo "" > $@
$(call parse-rolemap,base,$@)
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
ifeq "$(strip $(base_te_files))" ""
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
endif
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
# extract attributes and put them first. extract post te stuff
# like genfscon and put last.
$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
# these have to run individually because order matters:
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
########################################
#
# Construct a base.fc
#
$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort)
$(verbose) $(fcsort) $< $@
$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
ifeq ($(base_fc_files),)
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
endif
@echo "Creating $(NAME) base module file contexts."
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
########################################
#
# Appconfig files
#
$(appdir)/customizable_types: $(base_conf)
@mkdir -p $(appdir)
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
########################################
#
# Validate linking and expanding of modules
#
validate: $(base_pkg) $(mod_pkgs)
@echo "Validating policy linking."
$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
@echo "Success."
########################################
#
# Clean the sources
#
clean:
rm -f $(base_conf)
rm -f $(base_fc)
rm -f $(builddir)*.pp
rm -f $(net_contexts)
rm -fR $(tmpdir)
.PHONY: default all policy base modules install load clean validate

258
Rules.monolithic Normal file
View File

@ -0,0 +1,258 @@
########################################
#
# Rules and Targets for building monolithic policies
#
# determine the policy version and current kernel version if possible
pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
kv := $(shell cat /selinux/policyvers)
# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
ifeq "$(kv)" ""
kv := $(pv)
endif
policy_conf = $(builddir)policy.conf
fc = $(builddir)file_contexts
polver = $(builddir)policy.$(pv)
homedir_template = $(builddir)homedir_template
M4PARAM += -D self_contained_policy
# install paths
loadpath = $(policypath)/$(notdir $(polver))
appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users
# for monolithic policy use all base and module to create policy
all_modules := $(strip $(base_mods) $(mod_mods))
# off module interfaces included to make sure all interfaces are expanded.
all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
all_te_files := $(all_modules)
all_fc_files := $(all_modules:.te=.fc)
pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
post_te_files := $(user_files) $(poldir)/constraints
policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
# search layer dirs for source files
vpath %.te $(all_layers)
vpath %.if $(all_layers)
vpath %.fc $(all_layers)
########################################
#
# default action: build policy locally
#
default: policy
policy: $(polver)
install: $(loadpath) $(fcpath) $(appfiles)
load: $(tmpdir)/load
checklabels: $(fcpath)
restorelabels: $(fcpath)
relabel: $(fcpath)
resetlabels: $(fcpath)
########################################
#
# Build a binary policy locally
#
ifneq "$(UNK_PERMS)" ""
$(polver): CHECKPOLICY += -U $(UNK_PERMS)
endif
$(polver): $(policy_conf)
@echo "Compiling $(NAME) $(polver)"
ifneq ($(pv),$(kv))
@echo
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
@echo
endif
$(verbose) $(CHECKPOLICY) $^ -o $@
########################################
#
# Install a binary policy
#
ifneq "$(UNK_PERMS)" ""
$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
endif
$(loadpath): $(policy_conf)
@mkdir -p $(policypath)
@echo "Compiling and installing $(NAME) $(loadpath)"
ifneq ($(pv),$(kv))
@echo
@echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
@echo
endif
$(verbose) $(CHECKPOLICY) $^ -o $@
########################################
#
# Load the binary policy
#
reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
@echo "Loading $(NAME) $(loadpath)"
$(verbose) $(LOADPOLICY) -q $(loadpath)
@touch $(tmpdir)/load
########################################
#
# Construct a monolithic policy.conf
#
$(policy_conf): $(policy_sections)
@echo "Creating $(NAME) $(@F)"
@test -d $(@D) || mkdir -p $(@D)
$(verbose) cat $^ > $@
$(tmpdir)/pre_te_files.conf: $(pre_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
$(tmpdir)/generated_definitions.conf: $(all_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
# define all available object classes
$(verbose) $(genperm) $(avs) $(secclass) > $@
$(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
$(verbose) $(M4) $(M4PARAM) $^ > $@
$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
@echo "divert(-1)" > $@
$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
@echo "divert" >> $@
$(tmpdir)/rolemap.conf: $(rolemap)
$(verbose) echo "" > $@
$(call parse-rolemap,base,$@)
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
ifeq "$(strip $(all_te_files))" ""
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
endif
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
# extract attributes and put them first. extract post te stuff
# like genfscon and put last.
$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
$(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
$(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
# these have to run individually because order matters:
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
########################################
#
# Remove the dontaudit rules from the policy.conf
#
enableaudit: $(policy_conf)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
@echo "Removing dontaudit rules from $(notdir $(policy_conf))"
$(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
$(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
########################################
#
# Construct file_contexts
#
$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
$(verbose) $(fcsort) $< $@
$(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
$(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
ifeq ($(all_fc_files),)
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
endif
@echo "Creating $(NAME) file_contexts."
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
$(homedir_template): $(fc)
########################################
#
# Install file_contexts
#
$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
@echo "Validating $(NAME) file_contexts."
$(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
@echo "Installing file_contexts."
@mkdir -p $(contextpath)/files
$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
ifeq "$(DISTRO)" "rhel4"
# Setfiles in RHEL4 does not look at file_contexts.homedirs.
$(verbose) cat $@.homedirs >> $@
# Delete the file_contexts.homedirs in case the toolchain has
# been updated, to prevent duplicate match errors.
$(verbose) rm -f $@.homedirs
endif
########################################
#
# Intall netfilter_contexts
#
$(ncpath): $(net_contexts)
@echo "Installing $(NAME) netfilter_contexts."
$(verbose) $(INSTALL) -m 0644 $^ $@
########################################
#
# Run policy source checks
#
check: $(builddir)check.res
$(builddir)check.res: $(policy_conf) $(fc)
$(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
longcheck: $(builddir)longcheck.res
$(builddir)longcheck.res: $(policy_conf) $(fc)
$(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
########################################
#
# Appconfig files
#
$(appdir)/customizable_types: $(policy_conf)
@mkdir -p $(appdir)
$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
$(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
$(installdir)/seusers: $(seusers)
@mkdir -p $(installdir)
$(verbose) $(INSTALL) -m 644 $^ $@
########################################
#
# Clean the sources
#
clean:
rm -f $(policy_conf)
rm -f $(polver)
rm -f $(fc)
rm -f $(homedir_template)
rm -f $(net_contexts)
rm -f *.res
rm -fR $(tmpdir)
.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean

1
VERSION Normal file
View File

@ -0,0 +1 @@
2.20100524

71
build.conf Normal file
View File

@ -0,0 +1,71 @@
########################################
#
# Policy build options
#
# Policy version
# By default, checkpolicy will create the highest
# version policy it supports. Setting this will
# override the version. This only has an
# effect for monolithic policies.
#OUTPUT_POLICY = 18
# Policy Type
# standard, mls, mcs
TYPE = standard
# Policy Name
# If set, this will be used as the policy
# name. Otherwise the policy type will be
# used for the name.
NAME = refpolicy
# Distribution
# Some distributions have portions of policy
# for programs or configurations specific to the
# distribution. Setting this will enable options
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
#DISTRO = redhat
# Unknown Permissions Handling
# The behavior for handling permissions defined in the
# kernel but missing from the policy. The permissions
# can either be allowed, denied, or the policy loading
# can be rejected.
# allow, deny, and reject are current options.
#UNK_PERMS = deny
# Direct admin init
# Setting this will allow sysadm to directly
# run init scripts, instead of requring run_init.
# This is a build option, as role transitions do
# not work in conditional policy.
DIRECT_INITRC = n
# Build monolithic policy. Putting n here
# will build a loadable module policy.
MONOLITHIC = y
# User-based access control (UBAC)
# Enable UBAC for role separations.
UBAC = y
# Number of MLS Sensitivities
# The sensitivities will be s0 to s(MLS_SENS-1).
# Dominance will be in increasing numerical order
# with s0 being lowest.
MLS_SENS = 16
# Number of MLS Categories
# The categories will be c0 to c(MLS_CATS-1).
MLS_CATS = 1024
# Number of MCS Categories
# The categories will be c0 to c(MLS_CATS-1).
MCS_CATS = 1024
# Set this to y to only display status messages
# during build.
QUIET = n

6
config/appconfig-mcs/dbus_contexts Normal file
View File

@ -0,0 +1,6 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

15
config/appconfig-mcs/default_contexts Normal file
View File

@ -0,0 +1,15 @@
system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0

6
config/appconfig-mcs/default_type Normal file
View File

@ -0,0 +1,6 @@
auditadm_r:auditadm_t
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t

1
config/appconfig-mcs/failsafe_context Normal file
View File

@ -0,0 +1 @@
sysadm_r:sysadm_t:s0

6
config/appconfig-mcs/guest_u_default_contexts Normal file
View File

@ -0,0 +1,6 @@
guest_r:guest_t:s0 guest_r:guest_t:s0
system_r:crond_t:s0 guest_r:guest_t:s0
system_r:initrc_su_t:s0 guest_r:guest_t:s0
system_r:local_login_t:s0 guest_r:guest_t:s0
system_r:remote_login_t:s0 guest_r:guest_t:s0
system_r:sshd_t:s0 guest_r:guest_t:s0

1
config/appconfig-mcs/initrc_context Normal file
View File

@ -0,0 +1 @@
system_u:system_r:initrc_t:s0

3
config/appconfig-mcs/media Normal file
View File

@ -0,0 +1,3 @@
cdrom system_u:object_r:removable_device_t:s0
floppy system_u:object_r:removable_device_t:s0
disk system_u:object_r:fixed_disk_device_t:s0

1
config/appconfig-mcs/removable_context Normal file
View File

@ -0,0 +1 @@
system_u:object_r:removable_t:s0

11
config/appconfig-mcs/root_default_contexts Normal file
View File

@ -0,0 +1,11 @@
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

1
config/appconfig-mcs/securetty_types Normal file
View File

@ -0,0 +1 @@
user_tty_device_t

3
config/appconfig-mcs/seusers Normal file
View File

@ -0,0 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
root:root:s0-mcs_systemhigh
__default__:user_u:s0

10
config/appconfig-mcs/staff_u_default_contexts Normal file
View File

@ -0,0 +1,10 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:crond_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0

9
config/appconfig-mcs/unconfined_u_default_contexts Normal file
View File

@ -0,0 +1,9 @@
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
system_r:rshd_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0

8
config/appconfig-mcs/user_u_default_contexts Normal file
View File

@ -0,0 +1,8 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
system_r:crond_t:s0 user_r:cronjob_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0

1
config/appconfig-mcs/userhelper_context Normal file
View File

@ -0,0 +1 @@
system_u:sysadm_r:sysadm_t:s0

105
config/appconfig-mcs/x_contexts Normal file
View File

@ -0,0 +1,105 @@
#
# Config file for XSELinux extension
#
#
##
### Rules for X Clients
##
#
#
# The default client rule defines a context to be used for all clients
# connecting to the server from a remote host.
#
client * system_u:object_r:remote_t:s0
#
##
### Rules for X Properties
##
#
#
# Property rules map a property name to a context. A default property
# rule indicated by an asterisk should follow all other property rules.
#
# Properties that normal clients may only read
property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
# Clipboard and selection properties
property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
# Default fallback type
property * system_u:object_r:xproperty_t:s0
#
##
### Rules for X Extensions
##
#
#
# Extension rules map an extension name to a context. A default extension
# rule indicated by an asterisk should follow all other extension rules.
#
# Restricted extensions
extension SELinux system_u:object_r:security_xextension_t:s0
# Standard extensions
extension * system_u:object_r:xextension_t:s0
#
##
### Rules for X Selections
##
#
# Selection rules map a selection name to a context. A default selection
# rule indicated by an asterisk should follow all other selection rules.
#
# Standard selections
selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
# Default fallback type
selection * system_u:object_r:xselection_t:s0
#
##
### Rules for X Events
##
#
#
# Event rules map an event protocol name to a context. A default event
# rule indicated by an asterisk should follow all other event rules.
#
# Input events
event X11:KeyPress system_u:object_r:input_xevent_t:s0
event X11:KeyRelease system_u:object_r:input_xevent_t:s0
event X11:ButtonPress system_u:object_r:input_xevent_t:s0
event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
event X11:MotionNotify system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t:s0
event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
# Client message events
event X11:ClientMessage system_u:object_r:client_xevent_t:s0
event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
# Default fallback type
event * system_u:object_r:xevent_t:s0

7
config/appconfig-mcs/xguest_u_default_contexts Normal file
View File

@ -0,0 +1,7 @@
system_r:crond_t:s0 xguest_r:xguest_t:s0
system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
system_r:local_login_t:s0 xguest_r:xguest_t:s0
system_r:remote_login_t:s0 xguest_r:xguest_t:s0
system_r:sshd_t:s0 xguest_r:xguest_t:s0
system_r:xdm_t:s0 xguest_r:xguest_t:s0
xguest_r:xguest_t:s0 xguest_r:xguest_t:s0

6
config/appconfig-mls/dbus_contexts Normal file
View File

@ -0,0 +1,6 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

15
config/appconfig-mls/default_contexts Normal file
View File

@ -0,0 +1,15 @@
system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0

6
config/appconfig-mls/default_type Normal file
View File

@ -0,0 +1,6 @@
auditadm_r:auditadm_t
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t

1
config/appconfig-mls/failsafe_context Normal file
View File

@ -0,0 +1 @@
sysadm_r:sysadm_t:s0

5
config/appconfig-mls/guest_u_default_contexts Normal file
View File

@ -0,0 +1,5 @@
guest_r:guest_t:s0 guest_r:guest_t:s0
system_r:crond_t:s0 guest_r:guest_t:s0
system_r:local_login_t:s0 guest_r:guest_t:s0
system_r:remote_login_t:s0 guest_r:guest_t:s0
system_r:sshd_t:s0 guest_r:guest_t:s0

1
config/appconfig-mls/initrc_context Normal file
View File

@ -0,0 +1 @@
system_u:system_r:initrc_t:s0-mls_systemhigh

3
config/appconfig-mls/media Normal file
View File

@ -0,0 +1,3 @@
cdrom system_u:object_r:removable_device_t:s0
floppy system_u:object_r:removable_device_t:s0
disk system_u:object_r:fixed_disk_device_t:s0

1
config/appconfig-mls/removable_context Normal file
View File

@ -0,0 +1 @@
system_u:object_r:removable_t:s0

11
config/appconfig-mls/root_default_contexts Normal file
View File

@ -0,0 +1,11 @@
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0

1
config/appconfig-mls/securetty_types Normal file
View File

@ -0,0 +1 @@
user_tty_device_t

3
config/appconfig-mls/seusers Normal file
View File

@ -0,0 +1,3 @@
system_u:system_u:s0-mls_systemhigh
root:root:s0-mls_systemhigh
__default__:user_u:s0

10
config/appconfig-mls/staff_u_default_contexts Normal file
View File

@ -0,0 +1,10 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:crond_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0

9
config/appconfig-mls/unconfined_u_default_contexts Normal file
View File

@ -0,0 +1,9 @@
system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
system_r:rshd_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0

8
config/appconfig-mls/user_u_default_contexts Normal file
View File

@ -0,0 +1,8 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
system_r:crond_t:s0 user_r:cronjob_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0

1
config/appconfig-mls/userhelper_context Normal file
View File

@ -0,0 +1 @@
system_u:sysadm_r:sysadm_t:s0

105
config/appconfig-mls/x_contexts Normal file
View File

@ -0,0 +1,105 @@
#
# Config file for XSELinux extension
#
#
##
### Rules for X Clients
##
#
#
# The default client rule defines a context to be used for all clients
# connecting to the server from a remote host.
#
client * system_u:object_r:remote_t:s0
#
##
### Rules for X Properties
##
#
#
# Property rules map a property name to a context. A default property
# rule indicated by an asterisk should follow all other property rules.
#
# Properties that normal clients may only read
property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
# Clipboard and selection properties
property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
# Default fallback type
property * system_u:object_r:xproperty_t:s0
#
##
### Rules for X Extensions
##
#
#
# Extension rules map an extension name to a context. A default extension
# rule indicated by an asterisk should follow all other extension rules.
#
# Restricted extensions
extension SELinux system_u:object_r:security_xextension_t:s0
# Standard extensions
extension * system_u:object_r:xextension_t:s0
#
##
### Rules for X Selections
##
#
# Selection rules map a selection name to a context. A default selection
# rule indicated by an asterisk should follow all other selection rules.
#
# Standard selections
selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
# Default fallback type
selection * system_u:object_r:xselection_t:s0
#
##
### Rules for X Events
##
#
#
# Event rules map an event protocol name to a context. A default event
# rule indicated by an asterisk should follow all other event rules.
#
# Input events
event X11:KeyPress system_u:object_r:input_xevent_t:s0
event X11:KeyRelease system_u:object_r:input_xevent_t:s0
event X11:ButtonPress system_u:object_r:input_xevent_t:s0
event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
event X11:MotionNotify system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t:s0
event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t:s0
event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
# Client message events
event X11:ClientMessage system_u:object_r:client_xevent_t:s0
event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
# Default fallback type
event * system_u:object_r:xevent_t:s0

7
config/appconfig-mls/xguest_u_default_contexts Normal file
View File

@ -0,0 +1,7 @@
system_r:crond_t:s0 xguest_r:xguest_t:s0
system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
system_r:local_login_t:s0 xguest_r:xguest_t:s0
system_r:remote_login_t:s0 xguest_r:xguest_t:s0
system_r:sshd_t:s0 xguest_r:xguest_t:s0
system_r:xdm_t:s0 xguest_r:xguest_t:s0
xguest_r:xguest_t:s0 xguest_r:xguest_t:s0

6
config/appconfig-standard/dbus_contexts Normal file
View File

@ -0,0 +1,6 @@
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>

15
config/appconfig-standard/default_contexts Normal file
View File

@ -0,0 +1,15 @@
system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
system_r:sulogin_t sysadm_r:sysadm_t
system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
staff_r:staff_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
sysadm_r:sysadm_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
user_r:user_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t

6
config/appconfig-standard/default_type Normal file
View File

@ -0,0 +1,6 @@
auditadm_r:auditadm_t
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t

1
config/appconfig-standard/failsafe_context Normal file
View File

@ -0,0 +1 @@
sysadm_r:sysadm_t

7
config/appconfig-standard/guest_u_default_contexts Normal file
View File

@ -0,0 +1,7 @@
guest_r:guest_t guest_r:guest_t
system_r:crond_t guest_r:guest_t
system_r:initrc_su_t guest_r:guest_t
system_r:local_login_t guest_r:guest_t
system_r:remote_login_t guest_r:guest_t
system_r:sshd_t guest_r:guest_t

1
config/appconfig-standard/initrc_context Normal file
View File

@ -0,0 +1 @@
system_u:system_r:initrc_t

3
config/appconfig-standard/media Normal file
View File

@ -0,0 +1,3 @@
cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t

1
config/appconfig-standard/removable_context Normal file
View File

@ -0,0 +1 @@
system_u:object_r:removable_t

11
config/appconfig-standard/root_default_contexts Normal file
View File

@ -0,0 +1,11 @@
system_r:crond_t unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t

1
config/appconfig-standard/securetty_types Normal file
View File

@ -0,0 +1 @@
user_tty_device_t

3
config/appconfig-standard/seusers Normal file
View File

@ -0,0 +1,3 @@
system_u:system_u
root:root
__default__:user_u

10
config/appconfig-standard/staff_u_default_contexts Normal file
View File

@ -0,0 +1,10 @@
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
system_r:remote_login_t staff_r:staff_t
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
system_r:crond_t staff_r:cronjob_t
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
sysadm_r:sysadm_su_t sysadm_r:sysadm_t
sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t

9
config/appconfig-standard/unconfined_u_default_contexts Normal file
View File

@ -0,0 +1,9 @@
system_r:crond_t unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
system_r:initrc_t unconfined_r:unconfined_t
system_r:local_login_t unconfined_r:unconfined_t
system_r:remote_login_t unconfined_r:unconfined_t
system_r:rshd_t unconfined_r:unconfined_t
system_r:sshd_t unconfined_r:unconfined_t
system_r:sysadm_su_t unconfined_r:unconfined_t
system_r:unconfined_t unconfined_r:unconfined_t
system_r:xdm_t unconfined_r:unconfined_t

8
config/appconfig-standard/user_u_default_contexts Normal file
View File

@ -0,0 +1,8 @@
system_r:local_login_t user_r:user_t
system_r:remote_login_t user_r:user_t
system_r:sshd_t user_r:user_t
system_r:crond_t user_r:cronjob_t
system_r:xdm_t user_r:user_t
user_r:user_su_t user_r:user_t
user_r:user_sudo_t user_r:user_t

1
config/appconfig-standard/userhelper_context Normal file
View File

@ -0,0 +1 @@
system_u:sysadm_r:sysadm_t

105
config/appconfig-standard/x_contexts Normal file
View File

@ -0,0 +1,105 @@
#
# Config file for XSELinux extension
#
#
##
### Rules for X Clients
##
#
#
# The default client rule defines a context to be used for all clients
# connecting to the server from a remote host.
#
client * system_u:object_r:remote_t
#
##
### Rules for X Properties
##
#
#
# Property rules map a property name to a context. A default property
# rule indicated by an asterisk should follow all other property rules.
#
# Properties that normal clients may only read
property _SELINUX_* system_u:object_r:seclabel_xproperty_t
# Clipboard and selection properties
property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t
# Default fallback type
property * system_u:object_r:xproperty_t
#
##
### Rules for X Extensions
##
#
#
# Extension rules map an extension name to a context. A default extension
# rule indicated by an asterisk should follow all other extension rules.
#
# Restricted extensions
extension SELinux system_u:object_r:security_xextension_t
# Standard extensions
extension * system_u:object_r:xextension_t
#
##
### Rules for X Selections
##
#
# Selection rules map a selection name to a context. A default selection
# rule indicated by an asterisk should follow all other selection rules.
#
# Standard selections
selection PRIMARY system_u:object_r:clipboard_xselection_t
selection CLIPBOARD system_u:object_r:clipboard_xselection_t
# Default fallback type
selection * system_u:object_r:xselection_t
#
##
### Rules for X Events
##
#
#
# Event rules map an event protocol name to a context. A default event
# rule indicated by an asterisk should follow all other event rules.
#
# Input events
event X11:KeyPress system_u:object_r:input_xevent_t
event X11:KeyRelease system_u:object_r:input_xevent_t
event X11:ButtonPress system_u:object_r:input_xevent_t
event X11:ButtonRelease system_u:object_r:input_xevent_t
event X11:MotionNotify system_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t
event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t
event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t
event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t
event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t
event XInputExtension:ProximityIn system_u:object_r:input_xevent_t
event XInputExtension:ProximityOut system_u:object_r:input_xevent_t
# Client message events
event X11:ClientMessage system_u:object_r:client_xevent_t
event X11:SelectionNotify system_u:object_r:client_xevent_t
event X11:UnmapNotify system_u:object_r:client_xevent_t
event X11:ConfigureNotify system_u:object_r:client_xevent_t
# Default fallback type
event * system_u:object_r:xevent_t

7
config/appconfig-standard/xguest_u_default_contexts Normal file
View File

@ -0,0 +1,7 @@
system_r:crond_t xguest_r:xguest_t
system_r:initrc_su_t xguest_r:xguest_t
system_r:local_login_t xguest_r:xguest_t
system_r:remote_login_t xguest_r:xguest_t
system_r:sshd_t xguest_r:xguest_t
system_r:xdm_t xguest_r:xguest_t
xguest_r:xguest_t xguest_r:xguest_t

21
config/local.users Normal file
View File

@ -0,0 +1,21 @@
##################################
#
# User configuration.
#
# This file defines additional users recognized by the system security policy.
# Only the user identities defined in this file and the system.users file
# may be used as the user attribute in a security context.
#
# Each user has a set of roles that may be entered by processes
# with the users identity. The syntax of a user declaration is:
#
# user username roles role_set [ level default_level range allowed_range ];
#
# The MLS default level and allowed range should only be specified if
# MLS was enabled in the policy.
# sample for administrative user
# user jadmin roles { staff_r sysadm_r };
# sample for regular user
#user jdoe roles { user_r };

8
doc/Makefile.example Normal file
View File

@ -0,0 +1,8 @@
AWK ?= gawk
NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
SHAREDIR ?= /usr/share/selinux
HEADERDIR := $(SHAREDIR)/$(NAME)/include
include $(HEADERDIR)/Makefile

6
doc/example.fc Normal file
View File

@ -0,0 +1,6 @@
# myapp executable will have:
# label: system_u:object_r:myapp_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)

54
doc/example.if Normal file
View File

@ -0,0 +1,54 @@
## <summary>Myapp example policy</summary>
## <desc>
## <p>
## More descriptive text about myapp. The desc
## tag can also use p, ul, and ol
## html tags for formatting.
## </p>
## <p>
## This policy supports the following myapp features:
## <ul>
## <li>Feature A</li>
## <li>Feature B</li>
## <li>Feature C</li>
## </ul>
## </p>
## </desc>
#
########################################
## <summary>
## Execute a domain transition to run myapp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`myapp_domtrans',`
gen_require(`
type myapp_t, myapp_exec_t;
')
domtrans_pattern($1,myapp_exec_t,myapp_t)
')
########################################
## <summary>
## Read myapp log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to read the log files.
## </summary>
## </param>
#
interface(`myapp_read_log',`
gen_require(`
type myapp_log_t;
')
logging_search_logs($1)
allow $1 myapp_log_t:file read_file_perms;
')

28
doc/example.te Normal file
View File

@ -0,0 +1,28 @@
policy_module(myapp,1.0.0)
########################################
#
# Declarations
#
type myapp_t;
type myapp_exec_t;
domain_type(myapp_t)
domain_entry_file(myapp_t, myapp_exec_t)
type myapp_log_t;
logging_log_file(myapp_log_t)
type myapp_tmp_t;
files_tmp_file(myapp_tmp_t)
########################################
#
# Myapp local policy
#
allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
allow myapp_t myapp_tmp_t:file manage_file_perms;
files_tmp_filetrans(myapp_t,myapp_tmp_t,file)

44
doc/policy.dtd Normal file
View File

@ -0,0 +1,44 @@
<!ENTITY % inline.class "pre|p|ul|ol|li">
<!ELEMENT policy (layer+,(tunable|bool)*)>
<!ELEMENT layer (summary,module+)>
<!ATTLIST layer
name CDATA #REQUIRED>
<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
<!ATTLIST module
name CDATA #REQUIRED
filename CDATA #REQUIRED>
<!ELEMENT required (#PCDATA)>
<!ATTLIST required
val (true|false) "false">
<!ELEMENT tunable (desc)>
<!ATTLIST tunable
name CDATA #REQUIRED
dftval CDATA #REQUIRED>
<!ELEMENT bool (desc)>
<!ATTLIST bool
name CDATA #REQUIRED
dftval CDATA #REQUIRED>
<!ELEMENT summary (#PCDATA)>
<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
<!ELEMENT desc (#PCDATA|%inline.class;)*>
<!ELEMENT param (summary)>
<!ATTLIST param
name CDATA #REQUIRED
optional (true|false) "false"
unused (true|false) "false">
<!ELEMENT infoflow EMPTY>
<!ATTLIST infoflow
type CDATA #REQUIRED
weight CDATA #IMPLIED>
<!ELEMENT rolebase EMPTY>
<!ELEMENT rolecap EMPTY>
<!ATTLIST pre caption CDATA #IMPLIED>
<!ELEMENT p (#PCDATA|%inline.class;)*>
<!ELEMENT ul (li+)>
<!ELEMENT ol (li+)>
<!ELEMENT li (#PCDATA|%inline.class;)*>

23
doc/templates/bool_list.html vendored Normal file
View File

@ -0,0 +1,23 @@
<h3>Master boolean index:</h3>
[[for bool in booleans]]
<div id="interfacesmall">
[[if bool.has_key('mod_layer')]]
Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'>
[[bool['mod_name']]]</a><p/>
Layer: <a href='[[bool['mod_layer']]].html'>
[[bool['mod_layer']]]</a><p/>
[[else]]
Global
[[end]]
<div id="codeblock">
[[bool['bool_name']]]
<small>(Default: [[bool['def_val']]])</small>
</div>
[[if bool['desc']]]
<div id="description">
[[bool['desc']]]
</div>
[[end]]
</div>
[[end]]

13
doc/templates/boolean.html vendored Normal file
View File

@ -0,0 +1,13 @@
[[for bool in booleans]]
<a name="link_[[bool['bool_name']]]"></a>
<div id="interface">
<div id="codeblock">[[bool['bool_name']]]</div>
<div id="description">
<h5>Default value</h5>
<p>[[bool['def_val']]]</p>
[[if bool['desc']]]
<h5>Description</h5>
[[bool['desc']]]
[[end]]
</div></div>
[[end]]

14
doc/templates/global_bool_list.html vendored Normal file
View File

@ -0,0 +1,14 @@
<h3>Global booleans:</h3>
[[for bool in booleans]]
<div id="interface">
<div id="codeblock">[[bool['bool_name']]]</div>
<div id="description">
<h5>Default value</h5>
<p>[[bool['def_val']]]</p>
[[if bool['desc']]]
<h5>Description</h5>
[[bool['desc']]]
[[end]]
</div></div>
[[end]]

14
doc/templates/global_tun_list.html vendored Normal file
View File

@ -0,0 +1,14 @@
<h3>Global tunables:</h3>
[[for tun in tunables]]
<div id="interface">
<div id="codeblock">[[tun['tun_name']]]</div>
<div id="description">
<h5>Default value</h5>
<p>[[tun['def_val']]]</p>
[[if tun['desc']]]
<h5>Description</h5>
[[tun['desc']]]
[[end]]
</div></div>
[[end]]

15
doc/templates/header.html vendored Normal file
View File

@ -0,0 +1,15 @@
<html>
<head>
<title>
Security Enhanced Linux Reference Policy
</title>
<style type="text/css" media="all">@import "style.css";</style>
</head>
<body>
<div id="Header">Security Enhanced Linux Reference Policy</div>
[[menu]]
<div id="Content">
[[content]]
</div>
</body>
</html>

33
doc/templates/int_list.html vendored Normal file
View File

@ -0,0 +1,33 @@
<h3>Master interface index:</h3>
[[for int in interfaces]]
<div id="interfacesmall">
Module: <a href='[[int['mod_layer']+ "_" + int['mod_name'] + ".html#link_" + int['interface_name']]]'>
[[int['mod_name']]]</a><p/>
Layer: <a href='[[int['mod_layer']]].html'>
[[int['mod_layer']]]</a><p/>
<div id="codeblock">
[[exec i = 0]]
<b>[[int['interface_name']]]</b>(
[[for arg in int['interface_parameters']]]
[[if i != 0]]
,
[[end]]
[[exec i = 1]]
[[if arg['optional'] == 'yes']]
[
[[end]]
[[arg['name']]]
[[if arg['optional'] == 'yes']]
]
[[end]]
[[end]]
)<br>
</div>
[[if int['interface_summary']]]
<div id="description">
[[int['interface_summary']]]
</div>
[[end]]
</div>
[[end]]

50
doc/templates/interface.html vendored Normal file
View File

@ -0,0 +1,50 @@
[[for int in interfaces]]
<a name="link_[[int['interface_name']]]"></a>
<div id="interface">
[[if int.has_key("mod_layer")]]
Layer: [[mod_layer]]<br>
[[end]]
[[if int.has_key("mod_name")]]
Module: [[mod_name]]<br>
[[end]]
<div id="codeblock">
[[exec i = 0]]
<b>[[int['interface_name']]]</b>(
[[for arg in int['interface_parameters']]]
[[if i != 0]]
,
[[end]]
[[exec i = 1]]
[[if arg['optional'] == 'yes']]
[
[[end]]
[[arg['name']]]
[[if arg['optional'] == 'yes']]
]
[[end]]
[[end]]
)<br>
</div>
<div id="description">
[[if int['interface_summary']]]
<h5>Summary</h5>
[[int['interface_summary']]]
[[end]]
[[if int['interface_desc']]]
<h5>Description</h5>
[[int['interface_desc']]]
[[end]]
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="65%">
<tr><th >Parameter:</th><th >Description:</th></tr>
[[for arg in int['interface_parameters']]]
<tr><td>
[[arg['name']]]
</td><td>
[[arg['desc']]]
</td></tr>
[[end]]
</table>
</div>
</div>
[[end]]

26
doc/templates/menu.html vendored Normal file
View File

@ -0,0 +1,26 @@
<div id='Menu'>
[[for layer_name, layer_mods in menulist]]
<a href="[[layer_name]].html">+&nbsp;
[[layer_name]]</a></br/>
<div id='subitem'>
[[for module, s in layer_mods]]
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='[[layer_name + "_" + module]].html'>
[[module]]</a><br/>
[[end]]
</div>
[[end]]
<br/><p/>
<a href="global_booleans.html">*&nbsp;Global&nbsp;Booleans&nbsp;</a>
<br/><p/>
<a href="global_tunables.html">*&nbsp;Global&nbsp;Tunables&nbsp;</a>
<p/><br/><p/>
<a href="index.html">*&nbsp;Layer Index</a>
<br/><p/>
<a href="booleans.html">*&nbsp;Boolean&nbsp;Index</a>
<br/><p/>
<a href="tunables.html">*&nbsp;Tunable&nbsp;Index</a>
<br/><p/>
<a href="interfaces.html">*&nbsp;Interface&nbsp;Index</a>
<br/><p/>
<a href="templates.html">*&nbsp;Template&nbsp;Index</a>
</div>

52
doc/templates/module.html vendored Normal file
View File

@ -0,0 +1,52 @@
<a name="top":></a>
<h1>Layer: [[mod_layer]]</h1><p/>
<h2>Module: [[mod_name]]</h2><p/>
[[if booleans]]
<a href=#booleans>Booleans</a>
[[end]]
[[if tunables]]
<a href=#tunables>Tunables</a>
[[end]]
[[if interfaces]]
<a href=#interfaces>Interfaces</a>
[[end]]
[[if templates]]
<a href=#templates>Templates</a>
[[end]]
<h3>Description:</h3>
[[if mod_desc]]
<p>[[mod_desc]]</p>
[[else]]
<p>[[mod_summary]]</p>
[[end]]
[[if mod_req]]
<p>This module is required to be included in all policies.</p>
[[end]]
<hr>
[[if booleans]]
<a name="booleans"></a>
<h3>Booleans: </h3>
[[booleans]]
<a href=#top>Return</a>
[[end]]
[[if tunables]]
<a name="tunables"></a>
<h3>Tunables: </h3>
[[tunables]]
<a href=#top>Return</a>
[[end]]
[[if interfaces]]
<a name="interfaces"></a>
<h3>Interfaces: </h3>
[[interfaces]]
<a href=#top>Return</a>
[[end]]
[[if templates]]
<a name="templates"></a>
<h3>Templates: </h3>
[[templates]]
<a href=#top>Return</a>
[[end]]
[[if not templates and not interfaces and not tunables]]
<h3>No booleans, tunables, interfaces, or templates.</h3>
[[end]]

19
doc/templates/module_list.html vendored Normal file
View File

@ -0,0 +1,19 @@
[[if mod_layer]]
<h1>Layer: [[mod_layer]]</h1><p/>
[[if layer_summary]]
<p>[[layer_summary]]</p><br/>
[[end]]
[[end]]
<table border="1" cellspacing="0" cellpadding="3" width="75%">
<tr><td class="title">Module:</td><td class="title">Description:</td></tr>
[[for layer_name, layer_mods in menulist]]
[[for module, s in layer_mods]]
<tr><td>
<a href='[[layer_name + "_" + module]].html'>
[[module]]</a></td>
<td>[[s]]</td>
[[end]]
</td></tr>
[[end]]
</table>
<p/><br/><br/>

216
doc/templates/style.css vendored Normal file
View File

@ -0,0 +1,216 @@
body {
margin:0px;
padding:0px;
font-family:verdana, arial, helvetica, sans-serif;
color:#333;
background-color:white;
}
h1 {
margin:0px 0px 5px 0px;
padding:0px;
font-size:150%
line-height:28px;
font-weight:900;
color:#ccc;
}
h2 {
font-size:125%;
margin:0px;
padding:5px 0px 10px 0px;
}
h3 {
font-size:110%;
margin:0px;
padding:5px 0px 10px 5px;
}
h4 {
font-size:100%;
margin:0px;
padding:5px 0px 10px 5px;
}
h5 {
font-size:100%;
margin:0px;
font-weight:600;
padding:0px 0px 5px 0px;
margin:0px 0px 0px 5px;
}
li {
font:11px/20px verdana, arial, helvetica, sans-serif;
margin:0px 0px 0px 10px;
padding:0px;
}
p {
/* normal */
font:11px/20px verdana, arial, helvetica, sans-serif;
margin:0px 0px 0px 10px;
padding:0px;
}
tt {
/* inline code */
font-family: monospace;
}
table {
background-color:#efefef;
/*background-color: white;*/
border-style:solid;
border-color:black;
border-width:0px 1px 1px 0px;
color: black;
text-align: left;
font:11px/20px verdana, arial, helvetica, sans-serif;
margin-left: 5%;
margin-right: 5%;
}
th {
font-weight:500;
background-color: #eaeaef;
text-align: center;
}
td.header {
font-weight: bold;
}
#Content>p {margin:0px;}
#Content>p+p {text-indent:30px;}
a {
color:#09c;
font-size:11px;
text-decoration:none;
font-weight:600;
font-family:verdana, arial, helvetica, sans-serif;
}
a:link {color:#09c;}
a:visited {color:#07a;}
a:hover {background-color:#eee;}
#Codeblock {
margin:5px 50px 5px 10px;
padding:5px 0px 5px 15px;
border-style:solid;
border-color:lightgrey;
border-width:1px 1px 1px 1px;
background-color:#f5f5ff;
font-size:100%;
font-weight:600;
text-decoration:none;
font-family:monospace;
}
#Interface {
margin:5px 0px 25px 5px;
padding:5px 0px 5px 5px;
border-style:solid;
border-color:black;
border-width:1px 1px 1px 1px;
background-color:#fafafa;
font-size:14px;
font-weight:400;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
}
#Interfacesmall {
margin:0px 0px 5px 0px;
padding:5px 0px 0px 5px;
border-style:solid;
border-color:black;
border-width:1px 1px 1px 1px;
background-color:#fafafa;
font-size:14px;
font-weight:400;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
}
#Template {
margin:5px 0px 25px 5px;
padding:5px 0px 5px 5px;
border-style:solid;
border-color:black;
border-width:1px 1px 1px 1px;
background-color:#fafafa;
font-size:14px;
font-weight:400;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
}
#Templatesmall {
margin:0px 0px 5px 0px;
padding:5px 0px 0px 5px;
border-style:solid;
border-color:black;
border-width:1px 1px 1px 1px;
background-color:#fafafa;
font-size:14px;
font-weight:400;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
}
#Description {
margin:0px 0px 0px 5px;
padding:0px 0px 0px 5px;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
font-size:12px;
font-weight:400;
}
pre {
margin:0px;
padding:0px;
font-size:14px;
text-decoration:none;
font-family:verdana, arial, helvetica, sans-serif;
}
dl {
/* definition text block */
font:11px/20px verdana, arial, helvetica, sans-serif;
margin:0px 0px 16px 0px;
padding:0px;
}
dt {
/* definition term */
font-weight: bold;
}
#Header {
margin:50px 0px 10px 0px;
padding:17px 0px 0px 20px;
/* For IE5/Win's benefit height = [correct height] + [top padding] + [top and bottom border widths] */
height:33px; /* 14px + 17px + 2px = 33px */
border-style:solid;
border-color:black;
border-width:1px 0px; /* top and bottom borders: 1px; left and right borders: 0px */
line-height:11px;
font-size:110%;
background-color:#eee;
voice-family: "\"}\"";
voice-family:inherit;
height:14px; /* the correct height */
}
body>#Header {height:14px;}
#Content {
margin:0px 50px 0px 200px;
padding:10px;
}
#Menu {
position:absolute;
top:100px;
left:20px;
width:162px;
padding:10px;
background-color:#eee;
border:1px solid #aaa;
line-height:17px;
text-align:left;
voice-family: "\"}\"";
voice-family:inherit;
width:160px;
}
#Menu subitem {
font-size: 5px;
}
body>#Menu {width:160px;}

33
doc/templates/temp_list.html vendored Normal file
View File

@ -0,0 +1,33 @@
<h3>Master template index:</h3>
[[for temp in templates]]
<div id="templatesmall">
Module: <a href='[[temp['mod_layer']+ "_" + temp['mod_name'] + ".html#link_" + temp['template_name']]]'>
[[temp['mod_name']]]</a><p/>
Layer: <a href='[[temp['mod_layer']]].html'>
[[temp['mod_layer']]]</a><p/>
<div id="codeblock">
[[exec i = 0]]
<b>[[temp['template_name']]]</b>(
[[for arg in temp['template_parameters']]]
[[if i != 0]]
,
[[end]]
[[exec i = 1]]
[[if arg['optional'] == 'yes']]
[
[[end]]
[[arg['name']]]
[[if arg['optional'] == 'yes']]
]
[[end]]
[[end]]
)<br>
</div>
[[if temp['template_summary']]]
<div id="description">
[[temp['template_summary']]]
</div>
[[end]]
</div>
[[end]]

50
doc/templates/template.html vendored Normal file
View File

@ -0,0 +1,50 @@
[[for temp in templates]]
<a name="link_[[temp['template_name']]]"></a>
<div id="template">
[[if temp.has_key("mod_layer")]]
Layer: [[mod_layer]]<br>
[[end]]
[[if temp.has_key("mod_name")]]
Module: [[mod_name]]<br>
[[end]]
<div id="codeblock">
[[exec i = 0]]
<b>[[temp['template_name']]]</b>(
[[for arg in temp['template_parameters']]]
[[if i != 0]]
,
[[end]]
[[exec i = 1]]
[[if arg['optional'] == 'yes']]
[
[[end]]
[[arg['name']]]
[[if arg['optional'] == 'yes']]
]
[[end]]
[[end]]
)<br>
</div>
<div id="description">
[[if temp['template_summary']]]
<h5>Summary</h5>
[[temp['template_summary']]]
[[end]]
[[if temp['template_desc']]]
<h5>Description</h5>
[[temp['template_desc']]]
[[end]]
<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="65%">
<tr><th >Parameter:</th><th >Description:</th></tr>
[[for arg in temp['template_parameters']]]
<tr><td>
[[arg['name']]]
</td><td>
[[arg['desc']]]
</td></tr>
[[end]]
</table>
</div>
</div>
[[end]]

23
doc/templates/tun_list.html vendored Normal file
View File

@ -0,0 +1,23 @@
<h3>Master tunable index:</h3>
[[for tun in tunables]]
<div id="interfacesmall">
[[if tun.has_key('mod_layer')]]
Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'>
[[tun['mod_name']]]</a><p/>
Layer: <a href='[[tun['mod_layer']]].html'>
[[tun['mod_layer']]]</a><p/>
[[else]]
Global
[[end]]
<div id="codeblock">
[[tun['tun_name']]]
<small>(Default: [[tun['def_val']]])</small>
</div>
[[if tun['desc']]]
<div id="description">
[[tun['desc']]]
</div>
[[end]]
</div>
[[end]]

13
doc/templates/tunable.html vendored Normal file
View File

@ -0,0 +1,13 @@
[[for tun in tunables]]
<a name="link_[[tun['tun_name']]]"></a>
<div id="interface">
<div id="codeblock">[[tun['tun_name']]]</div>
<div id="description">
<h5>Default value</h5>
<p>[[tun['def_val']]]</p>
[[if tun['desc']]]
<h5>Description</h5>
[[tun['desc']]]
[[end]]
</div></div>
[[end]]

65
man/man8/ftpd_selinux.8 Normal file
View File

@ -0,0 +1,65 @@
.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
.SH "NAME"
.PP
ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
.SH "DESCRIPTION"
.PP
Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
.SH FILE_CONTEXTS
.PP
SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
.TP
Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
.PP
.B
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
.TP
.B
restorecon -F -R -v /var/ftp
.TP
Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
.PP
.B
semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
.TP
.B
restorecon -F -R -v /var/ftp/incoming
.SH BOOLEANS
.PP
SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
.TP
Allow ftp servers to read and write files with the public_content_rw_t file type.
.PP
.B
setsebool -P allow_ftpd_anon_write on
.TP
Allow ftp servers to read or write files in the user home directories.
.PP
.B
setsebool -P ftp_home_dir on
.TP
Allow ftp servers to read or write all files on the system.
.PP
.B
setsebool -P allow_ftpd_full_access on
.TP
Allow ftp servers to use cifs for public file transfer services.
.PP
.B
setsebool -P allow_ftpd_use_cifs on
.TP
Allow ftp servers to use nfs for public file transfer services.
.PP
.B
setsebool -P allow_ftpd_use_nfs on
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
.PP
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
.PP
selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)

109
man/man8/git_selinux.8 Normal file
View File

@ -0,0 +1,109 @@
.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "NAME"
git_selinux \- Security Enhanced Linux Policy for the Git daemon.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the Git server via flexible mandatory access
control.
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files.
SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
.PP
The following file contexts types are by default defined for Git:
.EX
git_system_content_t
.EE
- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
.EX
git_session_content_t
.EE
- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
.SH BOOLEANS
SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
.PP
Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
.PP
Allow the Git system daemon to read system shared repositories on NFS shares.
.EX
sudo setsebool -P git_system_use_nfs 1
.EE
.PP
Allow the Git system daemon to read system shared repositories on Samba shares.
.EX
sudo setsebool -P git_system_use_cifs 1
.EE
.PP
Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
.EX
sudo setsebool -P use_nfs_home_dirs 1
.EE
.PP
Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
.EX
sudo setsebool -P use_samba_home_dirs 1
.EE
.PP
To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
.EX
sudo setsebool -P git_system_enable_homedirs 1
.EE
.PP
To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
.EX
sudo setsebool -P git_session_bind_all_unreserved_ports 1
.EE
.SH GIT_SHELL
The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
.PP
To add a new Linux user and map him to this Git shell user domain automatically:
.EX
sudo useradd -Z git_shell_u joe
.EE
.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
.PP
To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
.EX
policy_module(project1, 1.0.0)
git_content_template(project1)
.EE
Next create a file named project1.fc and add a file context specification for the new repository type to it:
.EX
/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
.EE
Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
.EX
make -f /usr/share/selinux/devel/Makefile project.pp
sudo semodule -i project1.pp
sudo restorecon -R -v /srv/git/project1
.EE
To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
.EX
policy_module(project1user, 1.0.0)
git_role_template(project1user)
git_content_delegation(project1user_t, git_project1_content_t)
gen_user(project1user_u, user, project1user_r, s0, s0)
.EE
Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
.EX
make -f /usr/share/selinux/devel/Makefile project1user.pp
sudo semodule -i project1user.pp
sudo useradd -Z project1user_u jane
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was written by Dominick Grift <domg472@gmail.com>.
.SH "SEE ALSO"
selinux(8), git(8), chcon(1), semodule(8), setsebool(8)

120
man/man8/httpd_selinux.8 Normal file
View File

@ -0,0 +1,120 @@
.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "NAME"
httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the httpd server via flexible mandatory access
control.
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files.
SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
.PP
The following file contexts types are defined for httpd:
.EX
httpd_sys_content_t
.EE
- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
.EX
httpd_sys_script_exec_t
.EE
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
.EX
httpd_sys_content_rw_t
.EE
- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
.EX
httpd_sys_content_ra_t
.EE
- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
.EX
httpd_unconfined_script_exec_t
.EE
- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
.SH NOTE
With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
.SH SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
.EX
setsebool -P allow_httpd_anon_write=1
.EE
or
.EX
setsebool -P allow_httpd_sys_script_anon_write=1
.EE
.SH BOOLEANS
SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
.PP
httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
.EX
setsebool -P httpd_enable_cgi 1
.EE
.PP
SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
.EX
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
.EE
.PP
SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
.EX
setsebool -P httpd_tty_comm 1
.EE
.PP
httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
.EX
setsebool -P httpd_unified 0
.EE
.PP
SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
.EX
setsebool -P httpd_can_sendmail 1
.PP
httpd can be configured to turn off internal scripting (PHP). PHP and other
loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
.EX
setsebool -P httpd_builtin_scripting 0
.EE
.PP
SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
This would prevent a hacker from breaking into you httpd server and attacking
other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
.EX
setsebool -P httpd_can_network_connect 1
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
selinux(8), httpd(8), chcon(1), setsebool(8)

28
man/man8/kerberos_selinux.8 Normal file
View File

@ -0,0 +1,28 @@
.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "NAME"
kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
.SH BOOLEANS
.PP
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
.EX
setsebool -P allow_kerberos 1
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
selinux(8), kerberos(1), chcon(1), setsebool(8)

30
man/man8/named_selinux.8 Normal file
View File

@ -0,0 +1,30 @@
.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "NAME"
named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the named server via flexible mandatory access
control.
.SH BOOLEANS
SELinux policy is customizable based on least access required. So by
default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
.EX
setsebool -P named_write_master_zones 1
.EE
.PP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
selinux(8), named(8), chcon(1), setsebool(8)

31
man/man8/nfs_selinux.8 Normal file
View File

@ -0,0 +1,31 @@
.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
.SH "NAME"
nfs_selinux \- Security Enhanced Linux Policy for NFS
.SH "DESCRIPTION"
Security Enhanced Linux secures the NFS server via flexible mandatory access
control.
.SH BOOLEANS
SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
.TP
setsebool -P nfs_export_all_ro 1
.TP
If you want to share files read/write you must set the nfs_export_all_rw boolean.
.TP
setsebool -P nfs_export_all_rw 1
.TP
These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
.TP
If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
.TP
setsebool -P use_nfs_home_dirs 1
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
selinux(8), chcon(1), setsebool(8)

1
man/man8/nis_selinux.8 Normal file
View File

@ -0,0 +1 @@
.so man8/ypbind_selinux.8

52
man/man8/rsync_selinux.8 Normal file
View File

@ -0,0 +1,52 @@
.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "NAME"
rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
.SH "DESCRIPTION"
Security-Enhanced Linux secures the rsync server via flexible mandatory access
control.
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files.
If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
would need to label the directory with the chcon tool.
.TP
chcon -t public_content_t /var/rsync
.TP
.TP
To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
.TP
semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
.TP
This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
.TP
/var/rsync(/.*)? system_u:object_r:publix_content_t:s0
.TP
Run the restorecon command to apply the changes:
.TP
restorecon -R -v /var/rsync/
.EE
.SH SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
.EX
setsebool -P allow_rsync_anon_write=1
.EE
.SH BOOLEANS
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)

56
man/man8/samba_selinux.8 Normal file
View File

@ -0,0 +1,56 @@
.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
.SH "NAME"
samba_selinux \- Security Enhanced Linux Policy for Samba
.SH "DESCRIPTION"
Security-Enhanced Linux secures the Samba server via flexible mandatory access
control.
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files.
If you want to share files other than home directories, those files must be
labeled samba_share_t. So if you created a special directory /var/eng, you
would need to label the directory with the chcon tool.
.TP
chcon -t samba_share_t /var/eng
.TP
To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
.TP
semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
.TP
This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
.TP
/var/eng(/.*)? system_u:object_r:samba_share_t:s0
.TP
Run the restorecon command to apply the changes:
.TP
restorecon -R -v /var/eng/
.SH SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
setsebool -P allow_smbd_anon_write=1
.SH BOOLEANS
.br
SELinux policy is customizable based on least access required. So by
default SElinux policy turns off SELinux sharing of home directories and
the use of Samba shares from a remote machine as a home directory.
.TP
If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
.br
setsebool -P samba_enable_home_dirs 1
.TP
If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
.br
setsebool -P use_samba_home_dirs 1
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)

19
man/man8/ypbind_selinux.8 Normal file
View File

@ -0,0 +1,19 @@
.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
.SH "NAME"
ypbind_selinux \- Security Enhanced Linux Policy for NIS.
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
.SH BOOLEANS
.TP
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
.TP
setsebool -P allow_ypbind 1
.TP
system-config-selinux is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
selinux(8), ypbind(8), chcon(1), setsebool(8)

57
man/ru/man8/ftpd_selinux.8 Normal file
View File

@ -0,0 +1,57 @@
.TH "ftpd_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
.SH "НАЗВАНИЕ"
ftpd_selinux \- Политика Security Enhanced Linux для демона ftp
.SH "ОПИСАНИЕ"
Security-Enhanced Linux обеспечивает защиту сервера ftpd при помощи гибко настраиваемого мандатного контроля доступа.
.SH КОНТЕКСТ ФАЙЛОВ
SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
Политика управляет видом доступа демона к этим файлам. Если вы хотите организовать анонимный
доступ к файлам, вы должны присвоить этим файлам и директориям контекст public_content_t.
Таким образом, если вы создаете специальную директорию /var/ftp, то вам необходимо установить контекст для этой директории при помощи утилиты chcon.
.TP
chcon -R -t public_content_t /var/ftp
.TP
Если вы хотите задать директорию, в которую вы собираетесь загружать файлы, то вы должны
установить контекст ftpd_anon_rw_t. Таким образом, если вы создаете специальную директорию /var/ftp/incoming, то вам необходимо установить контекст для этой директории при помощи утилиты chcon.
.TP
chcon -t public_content_rw_t /var/ftp/incoming
.TP
Вы также должны включить переключатель allow_ftpd_anon_write.
.TP
setsebool -P allow_ftpd_anon_write=1
.TP
Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
.TP
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
.br
/var/ftp(/.*)? system_u:object_r:public_content_t
/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
Политика SELinux для демона ftp настроена исходя из принципа наименьших привелегий. Таким
образом, по умолчанию политика SELinux не позволяет пользователям заходить на сервер и
читать содержимое их домашних директорий.
.br
Если вы настраиваете данную машину как ftpd-сервер и хотите, чтобы пользователи могли получать
доступ к своим домашним директориям, то вам необходимо установить переключатель ftp_home_dir.
.TP
setsebool -P ftp_home_dir 1
.TP
ftpd может функционировать как самостоятельный демон, а также как часть домена xinetd. Если вы
хотите, чтобы ftpd работал как демон, вы должны установить переключатель ftpd_is_daemon.
.TP
setsebool -P ftpd_is_daemon 1
.br
service vsftpd restart
.TP
Для управления настройками SELinux существует графическая утилита system-config-selinux.
.SH АВТОРЫ
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
.SH "СМОТРИ ТАКЖЕ"
selinux(8), ftpd(8), chcon(1), setsebool(8)

137
man/ru/man8/httpd_selinux.8 Normal file
View File

@ -0,0 +1,137 @@
.TH "httpd_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "НАЗВАНИЕ"
httpd_selinux \- Политика Security Enhanced Linux для демона httpd
.SH "ОПИСАНИЕ"
Security-Enhanced Linux обеспечивает защиту сервера httpd при помощи гибко настраиваемого мандатного контроля доступа.
.SH КОНТЕКСТ ФАЙЛОВ
SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
Политика управляет видом доступа демона к этим файлам.
Политика SELinux для демона httpd позволяет пользователям настроить web-службы максимально безопасным методом с высокой степенью гибкости.
.PP
Для httpd определены следующие контексты файлов:
.EX
httpd_sys_content_t
.EE
- Установите контекст httpd_sys_content_t для содержимого, которое должно быть доступно для всех скриптов httpd и для самого демона.
.EX
httpd_sys_script_exec_t
.EE
- Установите контекст httpd_sys_script_exec_t для cgi-скриптов, чтобы разрешить им доступ ко всем sys-типам.
.EX
httpd_sys_script_ro_t
.EE
- Установите на файлы контекст httpd_sys_script_ro_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать данные, и при этом нужно запретить доступ другим не-sys скриптам.
.EX
httpd_sys_script_rw_t
.EE
- Установите на файлы контекст httpd_sys_script_rw_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и писать данные, и при этом нужно запретить доступ другим не-sys скриптам.
.EX
httpd_sys_script_ra_t
.EE
- Установите на файлы контекст httpd_sys_script_ra_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и добавлять данные, и при этом нужно запретить доступ другим не-sys скриптам.
.EX
httpd_unconfined_script_exec_t
.EE
- Установите на cgi-скрипты контекст httpd_unconfined_script_exec_t если вы хотите разрешить
им исполняться без какой-либо защиты SELinux. Такой способ должен использоваться только для
скриптов с очень комплексными требованиями, и только в случае, если все остальные варианты настройки не дали результата. Лучше использовать скрипты с контекстом httpd_unconfined_script_exec_t, чем выключать защиту SELinux для httpd.
.SH ЗАМЕЧАНИЕ
Вместе с некоторыми политиками, вы можете определить дополнительные контексты файлов, основанные
на ролях, таких как user или staff. Может быть определен контекст httpd_user_script_exec_t, который будет иметь доступ только к "пользовательским" контекстам.
.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для httpd вы должны выполнить команду:
.EX
setsebool -P allow_httpd_anon_write=1
.EE
или
.EX
setsebool -P allow_httpd_sys_script_anon_write=1
.EE
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
Политика SELinux настроена исходя из принципа наименьших привилегий. Таким образом,
по умолчанию SELinux препятствует работе некоторых http-скриптов. Политика httpd весьма
гибка, и существующие переключатели управляют политикой, позволяя httpd выполняться
с наименее возможными правами доступа.
.PP
Если вы хотите, чтобы httpd мог исполнять cgi-скрипты, установите переключатель httpd_enable_cgi
.EX
setsebool -P httpd_enable_cgi 1
.EE
.PP
По умолчанию демону httpd не разрешен доступ в домашние дерикториии пользователей. Если вы хотите разрешить доступ, вам необходимо установить переключатель httpd_enable_homedirs и изменить контекст
тех файлов в домашних директориях пользователей, к которым должен быть разрешен доступ.
.EX
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
.EE
.PP
По умолчанию демон httpd не имеет доступ к управляющему терминалу. В большинстве случаев такое
поведение является предпочтительным. Это связанно с тем, что злоумышленник может попытаться
использовать доступ к терминалу для получения привилегий. Однако, в некоторых ситуациях демон
httpd должен выводить запрос пароля для открытия файла сертификата и в таких случаях нужен доступ
к терминалу. Для того, чтобы разрешить доступ к терминалу, установите переключатель httpd_tty_comm.
.EX
setsebool -P httpd_tty_comm 1
.EE
.PP
httpd может быть настроен так, чтобы не разграничивать тип доступа к файлу на основании контекста.
Иными словами, ко всем файлам, имеющим контекст httpd разрешен доступ на чтение/запись/исполнение.
Установка этого переключателя в false, позволяет настроить политику безопасности таким образом,
что одина служба httpd не конфликтует с другой.
.EX
setsebool -P httpd_unified 0
.EE
.PP
Имеется возможность настроить httpd таким образом, чтобы отключить встроенную поддержку
скриптов (PHP). PHP и другие загружаемые модули работают в том же контексте, что и httpd.
Таким образом, если используются только внешние cgi-скрипты, некоторые из правил политики
разрешают httpd больший доступ к системе, чем необходимо.
.EX
setsebool -P httpd_builtin_scripting 0
.EE
.PP
По умолчанию httpd-скриптам запрещено устанавливать внешние сетевые подключения.
Это не позволит хакеру, взломавшему ваш httpd-сервер, атаковать другие машины.
Если вашим скриптам необходимо иметь возможность подключения, установите переключатель
httpd_can_network_connect
.EX
setsebool -P httpd_can_network_connect 1
.EE
.PP
Для управления настройками SELinux существует графическая утилита system-config-selinux.
.SH АВТОРЫ
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
.SH "СМОТРИ ТАКЖЕ"
selinux(8), httpd(8), chcon(1), setsebool(8)

30
man/ru/man8/kerberos_selinux.8 Normal file
View File

@ -0,0 +1,30 @@
.TH "kerberos_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "НАЗВАНИЕ"
kerberos_selinux \- Политика Security Enhanced Linux для Kerberos.
.SH "ОПИСАНИЕ"
Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию Kerberos запрещен, поскольку требуется функционирование демонов,
которым предоставляется слишком обширный доступ к сети и некоторым чувствительным в плане безопасности файлам.
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
.PP
Для того, чтобы система могла корректно работать в окружении Kerberos, вы должны установить переключатель allow_kerberos.
.EX
setsebool -P allow_kerberos 1
.EE
.PP
Для управления настройками SELinux существует графическая утилита system-config-selinux.
.SH АВТОРЫ
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
.SH "СМОТРИ ТАКЖЕ"
selinux(8), kerberos(1), chcon(1), setsebool(8)

31
man/ru/man8/named_selinux.8 Normal file
View File

@ -0,0 +1,31 @@
.TH "named_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "НАЗВАНИЕ"
named_selinux \- Политика Security Enhanced Linux для демона Internet Name server (named)
.SH "ОПИСАНИЕ"
Security-Enhanced Linux обеспечивает защиту сервера named при помощи гибко настраиваемого мандатного контроля доступа.
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом,
по умолчанию политика SELinux не позволяет демону named осуществлять изменения файлов мастер-зоны.
Если вам необходимо, чтобы named мог обновлять файлы мастер-зоны, вы должны установить переключатель named_write_master_zones boolean.
.EX
setsebool -P named_write_master_zones 1
.EE
.PP
Для управления настройками SELinux существует графическая утилита system-config-selinux.
.SH АВТОРЫ
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
.SH "СМОТРИ ТАКЖЕ"
selinux(8), named(8), chcon(1), setsebool(8)

33
man/ru/man8/nfs_selinux.8 Normal file
View File

@ -0,0 +1,33 @@
.TH "nfs_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
.SH "НАЗВАНИЕ"
nfs_selinux \- Политика Security Enhanced Linux для NFS
.SH "ОПИСАНИЕ"
Security-Enhanced Linux защищает сервер nfs при помощи гибко настраиваемого мандатного контроля доступа.
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом,
по умолчанию политика SELinux не позволяет предоставлять доступ к файлам по nfs. Если вы хотите
разрешить доступ только на чтение к файлам этой машины по nfs, вы должны установить переключатель
nfs_export_all_ro.
.TP
setsebool -P nfs_export_all_ro 1
.TP
Если вы хотите разрешить доступ на чтение/запись, вы должны установить переключатель nfs_export_all_rw.
.TP
setsebool -P nfs_export_all_rw 1
.TP
Если вы хотите использовать удаленный NFS сервер для хранения домашних директорий этой машины,
то вы должны установить переключатель use_nfs_home_dir boolean.
.TP
setsebool -P use_nfs_home_dirs 1
.TP
Для управления настройками SELinux существует графическая утилита
system-config-selinux.
.SH АВТОРЫ
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
.SH "СМОТРИ ТАКЖЕ"
selinux(8), chcon(1), setsebool(8)

50
man/ru/man8/rsync_selinux.8 Normal file
View File

@ -0,0 +1,50 @@
.TH "rsync_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
.de EX
.nf
.ft CW
..
.de EE
.ft R
.fi
..
.SH "НАЗВАНИЕ"
rsync_selinux \- Политика Security Enhanced Linux для демона rsync
.SH "ОПИСАНИЕ"
Security-Enhanced Linux обеспечивает защиту сервера rsync при помощи гибко настраиваемого мандатного контроля доступа.
.SH КОНТЕКСТ ФАЙЛОВ
SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
Политика управляет видом доступа демона к этим файлам. Если вы хотите предоставить доступ к файлам
при помощи демона rsync, вы должны присвоить этим файлам и директориям контекст
public_content_t. Таким образом, если вы создаете специальную директорию /var/rsync, то вам
необходимо установить контекст для этой директории при помощи утилиты chcon.
.TP
chcon -t public_content_t /var/rsync
.TP
Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
.EX
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
/var/rsync(/.*)? system_u:object_r:public_content_t
.EE
.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для rsync вы должны выполнить команду:
.EX
setsebool -P allow_rsync_anon_write=1
.EE
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
.TP
Для управления настройками SELinux существует графическая утилита system-config-selinux.
.SH АВТОРЫ
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
.SH "СМОТРИ ТАКЖЕ"
selinux(8), rsync(1), chcon(1), setsebool(8)

60
man/ru/man8/samba_selinux.8 Normal file
View File

@ -0,0 +1,60 @@
.TH "samba_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
.SH "НАЗВАНИЕ"
samba_selinux \- Политика Security Enhanced Linux для Samba
.SH "ОПИСАНИЕ"
Security-Enhanced Linux обеспечивает защиту сервера Samba при помощи гибко настраиваемого мандатного контроля доступа.
.SH КОНТЕКСТ ФАЙЛОВ
SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
Политика управляет видом доступа демона к этим файлам.
Если вы хотите предоставить доступ к файлам вовне домашних директорий, этим файлам необходимо
присвоить контекст samba_share_t.
Таким образом, если вы создаете специальную директорию /var/eng, то вам необходимо
установить контекст для этой директории при помощи утилиты chcon.
.TP
chcon -t samba_share_t /var/eng
.TP
Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
.TP
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
.br
/var/eng(/.*)? system_u:object_r:samba_share_t
.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для samba вы должны выполнить команду:
setsebool -P allow_smbd_anon_write=1
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
.br
Политика SELinux настраивается исходя из принципа наименьших привилегий.
Таким образом, по умолчанию политика SELinux не позволяет предоставлять удаленный доступ
к домашним директориям и не позволяет использовать удаленный сервер Samba для хранения
домашних директорий.
.TP
Если вы настроили эту машину как сервер Samba и желаете предоставить доступ к домашним
директориям, вы должны установить переключатель samba_enable_home_dirs.
.br
setsebool -P samba_enable_home_dirs 1
.TP
Если вы хотите для хранения домашних директорий пользователей этой машины использовать удаленный
сервер Samba, вы должны установить переключатель use_samba_home_dirs.
.br
setsebool -P use_samba_home_dirs 1
.TP
Для управления настройками SELinux существует графическая утилита system-config-selinux.
.SH АВТОРЫ
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
.SH "СМОТРИ ТАКЖЕ"
selinux(8), samba(7), chcon(1), setsebool(8)

19
man/ru/man8/ypbind_selinux.8 Normal file
View File

@ -0,0 +1,19 @@
.TH "ypbind_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
.SH "НАЗВАНИЕ"
ypbind_selinux \- Политика Security Enhanced Linux для NIS.
.SH "ОПИСАНИЕ"
Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию работа NIS запрещена. Это является следствием того, что демоны NIS требуют слишком обширного доступа к сети.
.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
.TP
Для того, чтобы система могла работать в окружении NIS, вы должны установить переключатель allow_ypbind.
.TP
setsebool -P allow_ypbind 1
.TP
Для управления настройками SELinux существует графическая утилита system-config-selinux.
.SH АВТОРЫ
Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
.SH "СМОТРИ ТАКЖЕ"
selinux(8), ypbind(8), chcon(1), setsebool(8)

245
policy/constraints Normal file
View File

@ -0,0 +1,245 @@
#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_op r2
# | t1 op t2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
#
# op : == | !=
# role_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#
define(`basic_ubac_conditions',`
ifdef(`enable_ubac',`
u1 == u2
or u1 == system_u
or u2 == system_u
or t1 != ubac_constrained_type
or t2 != ubac_constrained_type
')
')
define(`basic_ubac_constraint',`
ifdef(`enable_ubac',`
constrain $1 all_$1_perms
(
basic_ubac_conditions
);
')
')
define(`exempted_ubac_constraint',`
ifdef(`enable_ubac',`
constrain $1 all_$1_perms
(
basic_ubac_conditions
or t1 == $2
);
')
')
########################################
#
# File rules
#
exempted_ubac_constraint(dir, ubacfile)
exempted_ubac_constraint(file, ubacfile)
exempted_ubac_constraint(lnk_file, ubacfile)
exempted_ubac_constraint(fifo_file, ubacfile)
exempted_ubac_constraint(sock_file, ubacfile)
exempted_ubac_constraint(chr_file, ubacfile)
exempted_ubac_constraint(blk_file, ubacfile)
# SELinux object identity change constraint:
constrain dir_file_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
);
########################################
#
# Process rules
#
ifdef(`enable_ubac',`
constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
(
basic_ubac_conditions
or t1 == ubacproc
);
')
constrain process { transition noatsecure siginh rlimitinh }
(
u1 == u2
or ( t1 == can_change_process_identity and t2 == process_user_target )
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
or ( t1 == can_system_change and u2 == system_u )
or ( t1 == process_uncond_exempt )
);
constrain process { transition noatsecure siginh rlimitinh }
(
r1 == r2
or ( t1 == can_change_process_role and t2 == process_user_target )
or ( t1 == cron_source_domain and t2 == cron_job_domain )
or ( t1 == can_system_change and r2 == system_r )
or ( t1 == process_uncond_exempt )
);
constrain process dyntransition
(
u1 == u2 and r1 == r2
);
# These permissions do not have ubac constraints:
# fork
# setexec
# setfscreate
# setcurrent
# execmem
# execstack
# execheap
# setkeycreate
# setsockcreate
########################################
#
# File descriptor rules
#
exempted_ubac_constraint(fd, ubacfd)
########################################
#
# Socket rules
#
exempted_ubac_constraint(socket, ubacsock)
exempted_ubac_constraint(tcp_socket, ubacsock)
exempted_ubac_constraint(udp_socket, ubacsock)
exempted_ubac_constraint(rawip_socket, ubacsock)
exempted_ubac_constraint(netlink_socket, ubacsock)
exempted_ubac_constraint(packet_socket, ubacsock)
exempted_ubac_constraint(key_socket, ubacsock)
exempted_ubac_constraint(unix_stream_socket, ubacsock)
exempted_ubac_constraint(unix_dgram_socket, ubacsock)
exempted_ubac_constraint(netlink_route_socket, ubacsock)
exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
exempted_ubac_constraint(netlink_audit_socket, ubacsock)
exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
exempted_ubac_constraint(appletalk_socket, ubacsock)
exempted_ubac_constraint(dccp_socket, ubacsock)
constrain socket_class_set { create relabelto relabelfrom }
(
u1 == u2
or t1 == can_change_object_identity
);
########################################
#
# SysV IPC rules
exempted_ubac_constraint(sem, ubacipc)
exempted_ubac_constraint(msg, ubacipc)
exempted_ubac_constraint(msgq, ubacipc)
exempted_ubac_constraint(shm, ubacipc)
exempted_ubac_constraint(ipc, ubacipc)
########################################
#
# SE-X Windows rules
#
exempted_ubac_constraint(x_drawable, ubacxwin)
exempted_ubac_constraint(x_screen, ubacxwin)
exempted_ubac_constraint(x_gc, ubacxwin)
exempted_ubac_constraint(x_font, ubacxwin)
exempted_ubac_constraint(x_colormap, ubacxwin)
exempted_ubac_constraint(x_property, ubacxwin)
exempted_ubac_constraint(x_selection, ubacxwin)
exempted_ubac_constraint(x_cursor, ubacxwin)
exempted_ubac_constraint(x_client, ubacxwin)
exempted_ubac_constraint(x_device, ubacxwin)
exempted_ubac_constraint(x_server, ubacxwin)
exempted_ubac_constraint(x_extension, ubacxwin)
exempted_ubac_constraint(x_resource, ubacxwin)
exempted_ubac_constraint(x_event, ubacxwin)
exempted_ubac_constraint(x_synthetic_event, ubacxwin)
exempted_ubac_constraint(x_application_data, ubacxwin)
########################################
#
# D-BUS rules
#
exempted_ubac_constraint(dbus, ubacdbus)
########################################
#
# Key rules
#
exempted_ubac_constraint(key, ubackey)
########################################
#
# Database rules
#
exempted_ubac_constraint(db_database, ubacdb)
exempted_ubac_constraint(db_table, ubacdb)
exempted_ubac_constraint(db_procedure, ubacdb)
exempted_ubac_constraint(db_column, ubacdb)
exempted_ubac_constraint(db_tuple, ubacdb)
exempted_ubac_constraint(db_blob, ubacdb)
basic_ubac_constraint(association)
basic_ubac_constraint(peer)
# these classes have no UBAC restrictions
#class security
#class system
#class capability
#class memprotect
#class passwd # userspace
#class node
#class netif
#class packet
#class capability2
#class nscd # userspace
#class context # userspace
undefine(`basic_ubac_constraint')
undefine(`basic_ubac_conditions')
undefine(`exempted_ubac_constraint')

Some files were not shown because too many files have changed in this diff Show More